X-Git-Url: http://git.samba.org/?a=blobdiff_plain;f=WHATSNEW.txt;h=360fe5614ca341da04471dde8601ea7938afd65c;hb=cd0df26bdc71175b69e11acd5750721ba6cf67e8;hp=4035fd32385456ce03d120abbd8b09388e12b260;hpb=5a3690a48f60d68b66d9a76591382a66e62e1668;p=samba.git diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 4035fd32385..360fe5614ca 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,12 +1,12 @@ Release Announcements ===================== -This is the first preview release of Samba 4.9. This is *not* +This is the first preview release of Samba 4.11. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. -Samba 4.9 will be the next version of the Samba suite. +Samba 4.11 will be the next version of the Samba suite. UPGRADING @@ -16,292 +16,266 @@ UPGRADING NEW FEATURES/CHANGES ==================== +Default samba process model +--------------------------- -net ads setspn ---------------- +The default for the --model argument passed to the samba executable has changed +from 'standard' to 'prefork'. This means a difference in the number of samba +child processes that are created to handle client connections. The previous +default would create a separate process for every LDAP or NETLOGON client +connection. For a network with a lot of persistent client connections, this +could result in significant memory overhead. Now, with the new default of +'prefork', the LDAP, NETLOGON, and KDC services will create a fixed number of +worker processes at startup and share the client connections amongst these +workers. The number of worker processes can be configured by the 'prefork +children' setting in the smb.conf (the default is 4). -There is a new 'net ads setspn' sub command for managing Windows SPN(s) -on the AD. This command aims to give the basic functionality that is -provided on windows by 'setspn.exe' e.g. ability to add, delete and list -Windows SPN(s) stored in a Windows AD Computer object. +Authentication Logging. +----------------------- -The format of the command is: +Winbind now logs PAM_AUTH and NTLM_AUTH events, a new attribute "logonId" has +been added to the Authentication JSON log messages. This contains a random +logon id that is generated for each PAM_AUTH and NTLM_AUTH request and is passed +to SamLogon, linking the windbind and SamLogon requests. -net ads setspn list [machine] -net ads setspn [add | delete ] SPN [machine] +The serviceDescription of the messages is set to "winbind", the authDescription +is set to one of: + "PASSDB, , " + "PAM_AUTH, , " + "NTLM_AUTH, , " +where: + is the name of the command makinmg the winbind request i.e. wbinfo + is the process id of the requesting process. -'machine' is the name of the computer account on the AD that is to be managed. -If 'machine' is not specified the name of the 'client' running the command -is used instead. +The version of the JSON Authentication messages has been changed to 1.2 from 1.1 -The format of a Windows SPN is - 'serviceclass/host:port/servicename' (servicename and port are optional) +LDAP referrals +-------------- -serviceclass/host is generally sufficient to specify a host based service. +The scheme of returned LDAP referrals now reflects the scheme of the original +request, i.e. referrals received via ldap are prefixed with "ldap://" +and those over ldaps are prefixed with "ldaps://" -net ads keytab changes ----------------------- -net ads keytab add no longer attempts to convert the passed serviceclass -(e.g. nfs, html etc.) into a Windows SPN which is added to the Windows AD -computer object. By default just the keytab file is modified. +Previously all referrals were prefixed with "ldap://" -A new keytab subcommand 'add_update_ads' has been added to preserve the -legacy behaviour. However the new 'net ads setspn add' subcommand should -really be used instead. +Bind9 logging +------------- -net ads keytab create no longer tries to generate SPN(s) from existing -entries in a keytab file. If it is required to add Windows SPN(s) then -'net ads setspn add' should be used instead. +It is now possible to log the duration of DNS operations performed by Bind9 +This should aid future diagnosis of performance issues, and could be used to +monitor DNS performance. The logging is enabled by setting log level to +"dns:10" in smb.conf -Local authorization plugin for MIT Kerberos -------------------------------------------- +The logs are currently Human readable text only, i.e. no JSON formatted output. -This plugin controls the relationship between Kerberos principals and AD -accounts through winbind. The module receives the Kerberos principal and the -local account name as inputs and can then check if they match. This can resolve -issues with canonicalized names returned by Kerberos within AD. If the user -tries to log in as 'alice', but the samAccountName is set to ALICE (uppercase), -Kerberos would return ALICE as the username. Kerberos would not be able to map -'alice' to 'ALICE' in this case and auth would fail. With this plugin account -names can be correctly mapped. This only applies to GSSAPI authentication, -not for the getting the initial ticket granting ticket. +Log lines are of the form: -VFS audit modules ------------------ + : DNS timing: result: [] duration: () + zone: [] name: [] data: [] -The vfs_full_audit module has changed it's default set of monitored successful -and failed operations from "all" to "none". That helps to prevent potential -denial of service caused by simple addition of the module to the VFS objects. + durations are in microseconds. -Also, modules vfs_audit, vfs_ext_audit and vfs_full_audit now accept any valid -syslog(3) facility, in accordance with the manual page. +Default schema updated to 2012_R2 +--------------------------------- -Database audit support ----------------------- +Default AD schema changed from 2008_R2 to 2012_R2. 2012_R2 functional level +is not yet available. Older schemas can be used by provisioning with the +'--base-schema' argument. Existing installations can be updated with the +samba-tool command "domain schemaupgrade". -Changes to the Samba AD's sam.ldb database are now logged to Samba's debug log -under the "dsdb_audit" debug class and "dsdb_json_audit" for JSON formatted log -entries. +Samba's replication code has also been improved to handle replication +with the 2012 schema (the core of this replication fix has also been +backported to 4.9.11 and will be in a 4.10.x release). -Transaction commits and roll backs are now logged to Samba's debug logs under -the "dsdb_transaction_audit" debug class and "dsdb_transaction_json_audit" for -JSON formatted log entries. +GnuTLS 3.2 required +------------------- -Password change audit support ------------------------------ +Samba is making efforts to remove in-tree cryptographic functionality, +and to instead rely on externally maintained libraries. To this end, +Samba has chosen GnuTLS as our standard cryptographic provider. -Password changes in the AD DC are now logged to Samba's debug logs under the -"dsdb_password_audit" debug class and "dsdb_password_json_audit" for JSON -formatted log entries. +Samba now requires GnuTLS 3.2 to be installed (including development +headers at build time) for all configurations, not just the Samba AD +DC. -Group membership change audit support -------------------------------------- +NOTE WELL: The use of GnuTLS means that Samba will honour the +system-wide 'FIPS mode' (a reference to the US FIPS-140 cryptographic +standard) and so will not operate in many still common situations if +this system-wide parameter is in effect, as many of our protocols rely +on outdated cryptography. -Group membership changes on the AD DC are now logged to -Samba's debug log under the "dsdb_group_audit" debug class and -"dsdb_group_json_audit" for JSON formatted log entries. +A future Samba version will mitigate this to some extent where good +cryptography effectively wraps bad cryptography, but for now that above +applies. -Log Authentication duration ---------------------------- +samba-tool improvements +----------------------- -For NTLM and Kerberos KDC authentication, the authentication duration is now -logged. Note that the duration is only included in the JSON formatted log -entries. +A new "samba-tool contact" command has been added to allow the +command-line manipulation of contacts, as used for address book +lookups in LDAP. -JSON library Jansson required for the AD DC -------------------------------------------- +The "samba-tool [user|group|computer|group|contact] edit" command has been +improved to operate more pleasantly on international character sets. -By default the Jansson JSON library is required for Samba to build. -It is strictly required for the Samba AD DC, and is optional for -builds --without-ad-dc by specifying --without-json-audit at configure -time. +100,000 USER and LARGER Samba AD DOMAINS +======================================== -New Experimental LMDB LDB backend ---------------------------------- +Extensive efforts have been made to optimise Samba for use in +organisations (for example) targeting 100,000 users, plus 120,000 +computer objects, as well as large number of group memberships. + +Many of the specific efforts are detailed below, but the net results +is to remove barriers to significantly larger Samba deployments +compared to previous releases. + +Reindex performance improvements +-------------------------------- + +The performance of samba-tool dbcheck --reindex has been improved, +especially for large domains. + +join performance improvements +----------------------------- -A new experimental LDB backend using LMDB is now available. This allows -databases larger than 4Gb (Currently the limit is set to 6Gb, but this will be -increased in a future release). To enable lmdb, provision or join a domain using -the --backend-store=mdb option. - -This requires that a version of lmdb greater than 0.9.16 is installed and that -samba has not been built with the --without-ldb-lmdb option. - -Please note this is an experimental feature and is not recommended for -production deployments. - -Password Settings Objects -------------------------- -Support has been added for Password Settings Objects (PSOs). This AD feature is -also known as Fine-Grained Password Policies (FGPP). - -PSOs allow AD administrators to override the domain password policy settings -for specific users, or groups of users. For example, PSOs can force certain -users to have longer password lengths, or relax the complexity constraints for -other users, and so on. PSOs can be applied to groups or to individual users. -When multiple PSOs apply to the same user, essentially the PSO with the best -precedence takes effect. - -PSOs can be configured and applied to users/groups using the 'samba-tool domain -passwordsettings pso' set of commands. - -Domain backup and restore -------------------------- -A new samba-tool command has been added that allows administrators to create a -backup-file of their domain DB. In the event of a catastrophic failure of the -domain, this backup-file can be used to restore Samba services. - -The new 'samba-tool domain backup online' command takes a snapshot of the -domain DB from a given DC. In the event of a catastrophic DB failure, all DCs -in the domain should be taken offline, and the backup-file can then be used to -recreate a fresh new DC, using the 'samba-tool domain backup restore' command. -Once the backed-up domain DB has been restored on the new DC, other DCs can -then subsequently be joined to the new DC, in order to repopulate the Samba -network. - -Domain rename tool ------------------- -Basic support has been added for renaming a Samba domain. The rename feature is -designed for the following cases: -1). Running a temporary alternate domain, in the event of a catastrophic -failure of the regular domain. Using a completely different domain name and -realm means that the original domain and the renamed domain can both run at the -same time, without interfering with each other. This is an advantage over -creating a regular 'online' backup - it means the renamed/alternate domain can -provide core Samba network services, while trouble-shooting the fault on the -original domain can be done in parallel. -2). Creating a realistic lab domain or pre-production domain for testing. - -Note that the renamed tool is currently not intended to support a long-term -rename of the production domain. Currently renaming the GPOs is not supported -and would need to be done manually. - -The domain rename is done in two steps: first, the 'samba-tool domain backup -rename' command will clone the domain DB, renaming it in the process, and -producing a backup-file. Then, the 'samba-tool domain backup restore' command -takes the backup-file and restores the renamed DB to disk on a fresh DC. - -New samba-tool options for diagnosing DRS replication issues ------------------------------------------------------------- - -The 'samba-tool drs showrepl' command has two new options controlling -the output. With --summary, the command says very little when DRS -replication is working well. With --json, JSON is produced. These -options are intended for human and machine audiences, respectively. - -The 'samba-tool visualize uptodateness' visualizes replication lag as -a heat-map matrix based on the DRS uptodateness vectors. This will -show you if (but not why) changes are failing to replicate to some DCs. - -Automatic site coverage and GetDCName improvements --------------------------------------------------- - -Samba's AD DC now automatically claims otherwise empty sites based on -which DC is the nearest in the replication topology. - -This, combined with efforts to correctly identify the client side in -the GetDCName Netlogon call will improve service to sites without a -local DC. - -Improved samba-tool computer command ------------------------------------- - -The 'samba-tool computer' command allow manipulation of computer -accounts including creating a new computer and resetting the password. -This allows an 'offline join' of a member server or workstation to the -Samba AD domain. - -Samba performance tool now operates against Microsoft Windows AD ----------------------------------------------------------------- - -The Samba AD performance testing tool traffic_reply can now operate -against a Windows based AD domain. Previously it only operated -correctly against Samba. - -DNS entries are now cleaned up during DC demote ------------------------------------------------ - -DNS records are now cleaned up as part of the 'samba-tool domain -demote' including both the default and --remove-other-dead-server -modes. - -Additionally DNS records can be automatically cleaned up for a given -name with the 'samba-tool dns cleanup' command, which aids in cleaning -up partially removed DCs. - -samba-tool ntacl sysvolreset is now much faster ------------------------------------------------ - -The 'samba-tool ntacl sysvolreset' command, used on the Samba AD DC, -is now much faster than in previous versions, after an internal -rework. - -Samba now tested with CI GitLab +The performance of samba-tool domain join has been improved, +especially for large domains. + +LDAP Server memory improvements ------------------------------- -Samba developers now have pre-commit testing available in GitLab, -giving reviewers confidence that the submitted patches pass a full CI -before being submitted to the Samba Team's own autobuild system. +The LDAP server has improved memory efficiency, ensuring that large +LDAP responses (for example a search for all objects) is not copied +multiple times into memory. + +Setting lmdb map size +--------------------- + +It is now possible to set the lmdb map size (The maximum permitted +size for the database). "samba-tool" now accepts the +"--backend-store-size" i.e. --backend-store-size=4Gb. If not +specified it defaults to 8Gb. + +This option is avaiable for the following sub commands: + * domain provision + * domain join + * domain dcpromo + * drs clone-dc-database + +LDB "batch_mode" +---------------- + +To improve performance during batch operations i.e. joins, ldb now +accepts a "batch_mode" option. However to prevent any index or +database inconsistencies if an operation fails, the entire transaction +will be aborted at commit. -Dynamic DNS record scavenging support -------------------------------------- +New LDB pack format +------------------- -It is now possible to enable scavenging of DNS Zones to remove DNS -records that were dynamically created and have not been touched in -some time. +On first use (startup of 'samba' or the first transaction write) +Samba's sam.ldb will be updated to a new more efficient pack format. +This will take a few moments. -This support should however only be enabled on new zones or new -installations. Sadly old Samba versions suffer from BUG 12451 and -mark dynamic DNS records as static and static records as dynamic. -While a dbcheck rule may be able to find these in the future, -currently a reliable test has not been devised. +New LDB <= and >= index mode to improve replication performance +--------------------------------------------------------------- -Finally, there is not currently a command-line tool to enable this -feature, currently it should be enabled from the DNS Manager tool from -Windows. Also the feature needs to have been enabled by setting the smb.conf -parameter "dns zone scavenging = yes". +As well as a new pack format, Samba's sam.ldb uses a new index format +allowing Samba to efficiently select objects changed since the last +replication cycle. This in turn improves performance during +replication of large domains. + +Improvements to ldb search performance +-------------------------------------- + +Search performance on large LDB databases has been improved by +reducing memory allocations made on each object. + +Improvements to subtree rename performance +------------------------------------------ + +Improvements have been made to Samba's handling of subtree renames, +for example of containers and organisational units, however large +renames are still not recommended. + +CTDB changes +============ + +* nfs-linux-kernel-callout now defaults to using systemd service names + + The Red Hat service names continue to be the default. + + Other distributions should patch this file when packaging it. + +* The onnode -o option has been removed + +* ctdbd logs when it is using more than 90% of a CPU thread + + ctdbd is single threaded, so can become saturated if it uses the + full capacity of a CPU thread. To help detect this situation, ctdbd + now logs messages when CPU utilisation exceeds 90%. Each change in + CPU utilisation over 90% is logged. A message is also logged when + CPU utilisation drops below the 90% threshold. + +* Script configuration variable CTDB_MONITOR_SWAP_USAGE has been removed + + 05.system.script now monitors total memory (i.e. physical memory + + swap) utilisation using the existing CTDB_MONITOR_MEMORY_USAGE + script configuration variable. REMOVED FEATURES ================ +Web server +---------- +As a leftover from work related to the Samba Web Administration Tool (SWAT), +Samba still supported a Python WSGI web server (which could still be turned on +from the 'server services' smb.conf parameter). This service was unused and has +now been removed from Samba. -smb.conf changes -================ -As the most popular Samba install platforms (Linux and FreeBSD) both -support extended attributes by default, the parameters "map readonly", -"store dos attributes" and "ea support" have had their defaults changed -to allow better Windows fileserver compatibility in a default install. +samba-tool join subdommain +-------------------------- - Parameter Name Description Default - -------------- ----------- ------- - map readonly Default changed no - store dos attributes Default changed yes - ea support Default changed yes - full_audit:success Default changed none - full_audit:failure Default changed none +The subdommain role has been removed from the join command. This option did +not work and has no tests. -VFS interface changes -===================== -The VFS ABI interface version has changed to 39. Function changes -are: +Python2 support +--------------- + +Samba 4.11 will not have any runtime support for Python 2. + +If you are building Samba using the '--disable-python' option +(i.e. you're excluding all the run-time Python support), then this +will continue to work on a system that supports either python2 or +python3. + +To build Samba with python2 you *must* set the 'PYTHON' environment +variable for both the 'configure' and 'make' steps, i.e. + 'PYTHON=python2 ./configure' + 'PYTHON=python2 make' +This will override the python3 default. + +Except for this specific build-time use of python2, Samba now requires +Python 3.4 as a minimum. + +smb.conf changes +================ + + Parameter Name Description Default + -------------- ----------- ------- -SMB_VFS_FSYNC: Removed: Only async versions are used. -SMB_VFS_READ: Removed: Only PREAD or async versions are used. -SMB_VFS_WRITE: Removed: Only PWRITE or async versions are used. -SMB_VFS_CHMOD_ACL: Removed: Only CHMOD is used. -SMB_VFS_FCHMOD_ACL: Removed: Only FCHMOD is used. + web port Removed + fruit:zero_file_id Changed default False -Any external VFS modules will need to be updated to match these -changes in order to work with 4.9.x. KNOWN ISSUES ============ -https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.9#Release_blocking_bugs +https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.11#Release_blocking_bugs #######################################