X-Git-Url: http://git.samba.org/?a=blobdiff_plain;f=WHATSNEW.txt;h=360fe5614ca341da04471dde8601ea7938afd65c;hb=cd0df26bdc71175b69e11acd5750721ba6cf67e8;hp=39445cc0695051c4ae08915ed919fe792f57a483;hpb=ddd5a55e713d966d33065f98450677020892cdb4;p=samba.git diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 39445cc0695..360fe5614ca 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,82 +1,282 @@ Release Announcements ===================== -This is the first preview release of Samba 4.6. This is *not* +This is the first preview release of Samba 4.11. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. -Samba 4.6 will be the next version of the Samba suite. +Samba 4.11 will be the next version of the Samba suite. UPGRADING ========= -vfs_fruit option "fruit:resource" spelling correction ------------------------------------------------------ -Due to a spelling error in the vfs_fruit option parsing for the "fruit:resource" -option, users who have set this option in their smb.conf were still using the -default setting "fruit:resource = file" as the parser was looking for the string -"fruit:ressource" (two "s"). +NEW FEATURES/CHANGES +==================== -After upgrading to this Samba version 4.6, you MUST either remove the option -from your smb.conf or set it to the default "fruit:resource = file", otherwise -your macOS clients will not be able to access the resource fork data. +Default samba process model +--------------------------- -This version Samba 4.6 accepts both the correct and incorrect spelling, but the -next Samba version 4.7 will not accept the wrong spelling. +The default for the --model argument passed to the samba executable has changed +from 'standard' to 'prefork'. This means a difference in the number of samba +child processes that are created to handle client connections. The previous +default would create a separate process for every LDAP or NETLOGON client +connection. For a network with a lot of persistent client connections, this +could result in significant memory overhead. Now, with the new default of +'prefork', the LDAP, NETLOGON, and KDC services will create a fixed number of +worker processes at startup and share the client connections amongst these +workers. The number of worker processes can be configured by the 'prefork +children' setting in the smb.conf (the default is 4). -Users who were using the wrong spelling "ressource" with two "s" can keep the -setting, but are advised to switch to the correct spelling. +Authentication Logging. +----------------------- -NEW FEATURES/CHANGES -==================== +Winbind now logs PAM_AUTH and NTLM_AUTH events, a new attribute "logonId" has +been added to the Authentication JSON log messages. This contains a random +logon id that is generated for each PAM_AUTH and NTLM_AUTH request and is passed +to SamLogon, linking the windbind and SamLogon requests. -kerberos client encryption types --------------------------------- -Some parts of Samba (most notably winbindd) perform Kerberos client -operations based on a Samba-generated krb5.conf file. A new -parameter, "kerberos encryption types" allows configuring the -encryption types set in this file, thereby allowing the user to -enforce strong or legacy encryption in Kerberos exchanges. +The serviceDescription of the messages is set to "winbind", the authDescription +is set to one of: + "PASSDB, , " + "PAM_AUTH, , " + "NTLM_AUTH, , " +where: + is the name of the command makinmg the winbind request i.e. wbinfo + is the process id of the requesting process. + +The version of the JSON Authentication messages has been changed to 1.2 from 1.1 + +LDAP referrals +-------------- + +The scheme of returned LDAP referrals now reflects the scheme of the original +request, i.e. referrals received via ldap are prefixed with "ldap://" +and those over ldaps are prefixed with "ldaps://" + +Previously all referrals were prefixed with "ldap://" + +Bind9 logging +------------- + +It is now possible to log the duration of DNS operations performed by Bind9 +This should aid future diagnosis of performance issues, and could be used to +monitor DNS performance. The logging is enabled by setting log level to +"dns:10" in smb.conf + +The logs are currently Human readable text only, i.e. no JSON formatted output. + +Log lines are of the form: + + : DNS timing: result: [] duration: () + zone: [] name: [] data: [] + + durations are in microseconds. + +Default schema updated to 2012_R2 +--------------------------------- + +Default AD schema changed from 2008_R2 to 2012_R2. 2012_R2 functional level +is not yet available. Older schemas can be used by provisioning with the +'--base-schema' argument. Existing installations can be updated with the +samba-tool command "domain schemaupgrade". -The default value of "all" is compatible with previous behavior, allowing -all encryption algorithms to be negotiated. Setting the parameter to "strong" -only allows AES-based algorithms to be negotiated. Setting the parameter to -"legacy" allows only RC4-HMAC-MD5 - the legacy algorithm for Active Directory. -This can solves some corner cases of mixed environments with Server 2003R2 and -newer DCs. +Samba's replication code has also been improved to handle replication +with the 2012 schema (the core of this replication fix has also been +backported to 4.9.11 and will be in a 4.10.x release). +GnuTLS 3.2 required +------------------- -new option for owner inheritance +Samba is making efforts to remove in-tree cryptographic functionality, +and to instead rely on externally maintained libraries. To this end, +Samba has chosen GnuTLS as our standard cryptographic provider. + +Samba now requires GnuTLS 3.2 to be installed (including development +headers at build time) for all configurations, not just the Samba AD +DC. + +NOTE WELL: The use of GnuTLS means that Samba will honour the +system-wide 'FIPS mode' (a reference to the US FIPS-140 cryptographic +standard) and so will not operate in many still common situations if +this system-wide parameter is in effect, as many of our protocols rely +on outdated cryptography. + +A future Samba version will mitigate this to some extent where good +cryptography effectively wraps bad cryptography, but for now that above +applies. + +samba-tool improvements +----------------------- + +A new "samba-tool contact" command has been added to allow the +command-line manipulation of contacts, as used for address book +lookups in LDAP. + +The "samba-tool [user|group|computer|group|contact] edit" command has been +improved to operate more pleasantly on international character sets. + +100,000 USER and LARGER Samba AD DOMAINS +======================================== + +Extensive efforts have been made to optimise Samba for use in +organisations (for example) targeting 100,000 users, plus 120,000 +computer objects, as well as large number of group memberships. + +Many of the specific efforts are detailed below, but the net results +is to remove barriers to significantly larger Samba deployments +compared to previous releases. + +Reindex performance improvements -------------------------------- -The "inherit owner" smb.conf parameter instructs smbd to set the -owner of files to be the same as the parent directory's owner. -Up until now, this parameter could be set to "yes" or "no". -A new option, "unix only", enables this feature only for the UNIX owner -of the file, not affecting the SID owner in the Windows NT ACL of the -file. This can be used to emulate something very similar to folder quotas. + +The performance of samba-tool dbcheck --reindex has been improved, +especially for large domains. + +join performance improvements +----------------------------- + +The performance of samba-tool domain join has been improved, +especially for large domains. + +LDAP Server memory improvements +------------------------------- + +The LDAP server has improved memory efficiency, ensuring that large +LDAP responses (for example a search for all objects) is not copied +multiple times into memory. + +Setting lmdb map size +--------------------- + +It is now possible to set the lmdb map size (The maximum permitted +size for the database). "samba-tool" now accepts the +"--backend-store-size" i.e. --backend-store-size=4Gb. If not +specified it defaults to 8Gb. + +This option is avaiable for the following sub commands: + * domain provision + * domain join + * domain dcpromo + * drs clone-dc-database + +LDB "batch_mode" +---------------- + +To improve performance during batch operations i.e. joins, ldb now +accepts a "batch_mode" option. However to prevent any index or +database inconsistencies if an operation fails, the entire transaction +will be aborted at commit. + +New LDB pack format +------------------- + +On first use (startup of 'samba' or the first transaction write) +Samba's sam.ldb will be updated to a new more efficient pack format. +This will take a few moments. + +New LDB <= and >= index mode to improve replication performance +--------------------------------------------------------------- + +As well as a new pack format, Samba's sam.ldb uses a new index format +allowing Samba to efficiently select objects changed since the last +replication cycle. This in turn improves performance during +replication of large domains. + +Improvements to ldb search performance +-------------------------------------- + +Search performance on large LDB databases has been improved by +reducing memory allocations made on each object. + +Improvements to subtree rename performance +------------------------------------------ + +Improvements have been made to Samba's handling of subtree renames, +for example of containers and organisational units, however large +renames are still not recommended. + +CTDB changes +============ + +* nfs-linux-kernel-callout now defaults to using systemd service names + + The Red Hat service names continue to be the default. + + Other distributions should patch this file when packaging it. + +* The onnode -o option has been removed + +* ctdbd logs when it is using more than 90% of a CPU thread + + ctdbd is single threaded, so can become saturated if it uses the + full capacity of a CPU thread. To help detect this situation, ctdbd + now logs messages when CPU utilisation exceeds 90%. Each change in + CPU utilisation over 90% is logged. A message is also logged when + CPU utilisation drops below the 90% threshold. + +* Script configuration variable CTDB_MONITOR_SWAP_USAGE has been removed + + 05.system.script now monitors total memory (i.e. physical memory + + swap) utilisation using the existing CTDB_MONITOR_MEMORY_USAGE + script configuration variable. REMOVED FEATURES ================ +Web server +---------- + +As a leftover from work related to the Samba Web Administration Tool (SWAT), +Samba still supported a Python WSGI web server (which could still be turned on +from the 'server services' smb.conf parameter). This service was unused and has +now been removed from Samba. + + +samba-tool join subdommain +-------------------------- + +The subdommain role has been removed from the join command. This option did +not work and has no tests. + + +Python2 support +--------------- + +Samba 4.11 will not have any runtime support for Python 2. + +If you are building Samba using the '--disable-python' option +(i.e. you're excluding all the run-time Python support), then this +will continue to work on a system that supports either python2 or +python3. + +To build Samba with python2 you *must* set the 'PYTHON' environment +variable for both the 'configure' and 'make' steps, i.e. + 'PYTHON=python2 ./configure' + 'PYTHON=python2 make' +This will override the python3 default. + +Except for this specific build-time use of python2, Samba now requires +Python 3.4 as a minimum. smb.conf changes ================ - Parameter Name Description Default - -------------- ----------- ------- - kerberos encryption types New all - inherit owner New option - fruit:resource Spelling correction + Parameter Name Description Default + -------------- ----------- ------- + + web port Removed + fruit:zero_file_id Changed default False KNOWN ISSUES ============ -Currently none. +https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.11#Release_blocking_bugs + ####################################### Reporting bugs & Development Discussion