4 This is the first preview release of Samba 4.9. This is *not*
5 intended for production environments and is designed for testing
6 purposes only. Please report any defects via the Samba bug reporting
7 system at https://bugzilla.samba.org/.
9 Samba 4.9 will be the next version of the Samba suite.
23 There is a new 'net ads setspn' sub command for managing Windows SPN(s)
24 on the AD. This command aims to give the basic functionaility that is
25 provided on windows by 'setspn.exe' e.g. ability to add, delete and list
26 Windows SPN(s) stored in a Windows AD Computer object.
28 The format of the command is:
30 net ads setspn list [machine]
31 net ads setspn [add | delete ] SPN [machine]
33 'machine' is the name of the computer account on the AD that is to be managed.
34 If 'machine' is not specified the name of the 'client' running the command
37 The format of a Windows SPN is
38 'serviceclass/host:port/servicename' (servicename and port are optional)
40 serviceclass/host is generally sufficient to specify a host based service.
42 net ads keytab changes
43 ----------------------
44 net ads keytab add no longer attempts to convert the passed serviceclass
45 (e.g. nfs, html etc.) into a Windows SPN which is added to the Windows AD
46 computer object. By default just the keytab file is modified.
48 A new keytab subcommand 'add_update_ads' has been added to preserve the
49 legacy behaviour. However the new 'net ads setspn add' subcommand should
50 really be used instead.
52 net ads keytab create no longer tries to generate SPN(s) from existing
53 entries in a keytab file. If it is required to add Windows SPN(s) then
54 'net ads setspn add' should be used instead.
56 Local authorization plugin for MIT Kerberos
57 -------------------------------------------
59 This plugin controls the relationship between Kerberos principals and AD
60 accounts through winbind. The module receives the Kerberos principal and the
61 local account name as inputs and can then check if they match. This can resolve
62 issues with canonicalized names returned by Kerberos within AD. If the user
63 tries to log in as 'alice', but the samAccountName is set to ALICE (uppercase),
64 Kerberos would return ALICE as the username. Kerberos would not be able to map
65 'alice' to 'ALICE' in this case and auth would fail. With this plugin account
66 names can be correctly mapped. This only applies to GSSAPI authentication,
67 not for the geting the initial ticket granting ticket.
69 Database audit support
70 ----------------------
72 Changes to the Samba AD's sam.ldb database are now logged to Samba's debug log
73 under the "dsdb_audit" debug class and "dsdb_json_audit" for JSON formatted log
76 Transaction commits and roll backs are now logged to Samba's debug logs under
77 the "dsdb_transaction_audit" debug class and "dsdb_transaction_json_audit" for
78 JSON formatted log entries.
80 Password change audit support
81 -----------------------------
83 Password changes in the AD DC are now logged to Samba's debug logs under the
84 "dsdb_password_audit" debug class and "dsdb_password_json_audit" for JSON
85 formatted log entries.
87 Group membership change audit support
88 -------------------------------------
90 Group membership changes on the AD DC are now logged to
91 Samba's debug log under the "dsdb_group_audit" debug class and
92 "dsdb_group_json_audit" for JSON formatted log entries.
94 Log Authentication duration
95 ---------------------------
97 For NTLM and Kerberos KDC authentication, the authentication duration is now
98 logged. Note that the duration is only included in the JSON formatted log
101 New Experimental LMDB LDB backend
102 ---------------------------------
104 A new experimental LDB backend using LMBD is now available. This allows
105 databases larger than 4Gb (Currently the limit is set to 6Gb, but this will be
106 increased in a future release). To enable lmdb, provision or join a domain using
107 the --backend-store=mdb option.
109 This requires that a version of lmdb greater than 0.9.16 is installed and that
110 samba has not been built with the --without-ldb-lmdb option.
112 Please note this is an experimental feature and is not recommended for
113 production deployments.
123 As the most popular Samba install platforms (Linux and FreeBSD) both
124 support extended attributes by default, the parameters "map readonly",
125 "store dos attributes" and "ea support" have had their defaults changed
126 to allow better Windows fileserver compatibility in a default install.
128 Parameter Name Description Default
129 -------------- ----------- -------
130 map readonly Default changed no
131 store dos attributes Default changed yes
132 ea support Default changed yes
134 VFS interface changes
135 =====================
137 The VFS ABI interface version has changed to 39. Function changes
140 SMB_VFS_FSYNC: Removed: Only async versions are used.
141 SMB_VFS_READ: Removed: Only PREAD or async versions are used.
142 SMB_VFS_WRITE: Removed: Only PWRITE or async versions are used.
143 SMB_VFS_CHMOD_ACL: Removed: Only CHMOD is used.
144 SMB_VFS_FCHMOD_ACL: Removed: Only FCHMOD is used.
146 Any external VFS modules will need to be updated to match these
147 changes in order to work with 4.9.x.
152 https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.9#Release_blocking_bugs
155 #######################################
156 Reporting bugs & Development Discussion
157 #######################################
159 Please discuss this release on the samba-technical mailing list or by
160 joining the #samba-technical IRC channel on irc.freenode.net.
162 If you do report problems then please try to send high quality
163 feedback. If you don't provide vital information to help us track down
164 the problem then you will probably be ignored. All bug reports should
165 be filed under the Samba 4.1 and newer product in the project's Bugzilla
166 database (https://bugzilla.samba.org/).
169 ======================================================================
170 == Our Code, Our Bugs, Our Responsibility.
172 ======================================================================