X-Git-Url: http://git.samba.org/?a=blobdiff_plain;f=WHATSNEW.txt;h=a385d076391d6fe5e8c6251d481bce6d6034088d;hb=61d6882b54d975cef25d5498f1662285a97a6179;hp=4216c4f27590547886aaccf1c7b346ecd9ddbd89;hpb=12cd7ab60a1d2cf891c061652fbcad6f8fed56d1;p=samba.git diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 4216c4f2759..a385d076391 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -16,11 +16,33 @@ UPGRADING NEW FEATURES/CHANGES ==================== -The "strict sync" global parameter has been changed from -a default of "no" to "yes". This means smbd will by default -obey client requests to synchronize unwritten data in operating -system buffers safely onto disk. This is a safer default setting -for modern SMB1/2/3 clients. +Samba AD with MIT Kerberos +-------------------------- + +After four years of development, Samba finally supports compiling and +running Samba AD with MIT Kerberos. You can enable it with: + + ./configure --with-system-mitkrb5 + +Samba requires version 1.15.1 of MIT Kerberos to build with AD DC support. +The krb5-devel and krb5-server packages are required. +The feature set is not on par with with the Heimdal build but the most important +things, like forest and external trusts, are working. Samba uses the KDC binary +provided by MIT Kerberos. + +Missing features, compared to Heimdal, are: + * PKINIT support + * S4U2SELF/S4U2PROXY support + * RODC support (not fully working with Heimdal either) + +The Samba AD process will take care of starting the MIT KDC and it will load a +KDB (Kerberos Database) driver to access the Samba AD database. When +provisioning an AD DC using 'samba-tool' it will take care of creating a correct +kdc.conf file for the MIT KDC. Note that 'samba-tool' will overwrite the system +kdc.conf by default. It is possible to use a different location during +provision. You should consult the 'samba-tool' help and smb.conf manpage for +details. + Authentication and Authorization audit support ---------------------------------------------- @@ -40,13 +62,53 @@ authentication, SMB and RPC authorization is covered, however password changes are not at this stage, and this support is not currently backed by a testsuite. +Parameter changes +----------------- + +The "strict sync" global parameter has been changed from +a default of "no" to "yes". This means smbd will by default +obey client requests to synchronize unwritten data in operating +system buffers safely onto disk. This is a safer default setting +for modern SMB1/2/3 clients. + smb.conf changes ================ Parameter Name Description Default -------------- ----------- ------- - strict sync Default changed yes auth event notification New parameter no + auth methods Deprecated + map untrusted to domain Deprecated + strict sync Default changed yes + +Removal of lpcfg_register_defaults_hook() +----------------------------------------- + +The undocumented and unsupported function lpcfg_register_defaults_hook() +that was used by external projects to call into Samba and modify +smb.conf default parameter settings has been removed. If your project +was using this call please raise the issue on +samba-technical@lists.samba.org in order to design a supported +way of obtaining the same functionality. + +Change of loadable module interface +----------------------------------- + +The _init function of all loadable modules in Samba has changed +from: + +NTSTATUS _init(void); + +to: + +NTSTATUS _init(TALLOC_CTX *); + +This allows a program loading a module to pass in a long-lived +talloc context (which must be guaranteed to be alive for the +lifetime of the module). This allows modules to avoid use of +the talloc_autofree_context() (which is inherently thread-unsafe) +and still be valgrind-clean on exit. Modules that don't need to +free long-lived data on exist should use the NULL talloc context. KNOWN ISSUES ============