Release Announcements
=====================
-This is the first preview release of Samba 4.6. This is *not*
+This is the first preview release of Samba 4.9. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
-Samba 4.6 will be the next version of the Samba suite.
+Samba 4.9 will be the next version of the Samba suite.
UPGRADING
=========
-vfs_fruit option "fruit:resource" spelling correction
------------------------------------------------------
-
-Due to a spelling error in the vfs_fruit option parsing for the "fruit:resource"
-option, users who have set this option in their smb.conf were still using the
-default setting "fruit:resource = file" as the parser was looking for the string
-"fruit:ressource" (two "s").
-
-After upgrading to this Samba version 4.6, you MUST either remove the option
-from your smb.conf or set it to the default "fruit:resource = file", otherwise
-your macOS clients will not be able to access the resource fork data.
-
-This version Samba 4.6 accepts both the correct and incorrect spelling, but the
-next Samba version 4.7 will not accept the wrong spelling.
-
-Users who were using the wrong spelling "ressource" with two "s" can keep the
-setting, but are advised to switch to the correct spelling.
-
-ID Mapping
-----------
-We discovered that the majority of users have an invalid or incorrect
-ID mapping configuration. We implemented checks in the 'testparm' tool to
-validate the ID mapping configuration. You should run it and check if it prints
-any warnings or errors after upgrading! If it does you should fix them. See the
-'IDENTITY MAPPING CONSIDERATIONS' section in the smb.conf manpage.
-There are some ID mapping backends which are not allowed to be used for the
-default backend. Winbind will no longer start if an invalid backend is
-configured as the default backend.
-
-To avoid problems in future we advise all users to run 'testparm' after
-changing the smb.conf file!
NEW FEATURES/CHANGES
====================
-Kerberos client encryption types
---------------------------------
-Some parts of Samba (most notably winbindd) perform Kerberos client
-operations based on a Samba-generated krb5.conf file. A new
-parameter, "kerberos encryption types" allows configuring the
-encryption types set in this file, thereby allowing the user to
-enforce strong or legacy encryption in Kerberos exchanges.
-
-The default value of "all" is compatible with previous behavior, allowing
-all encryption algorithms to be negotiated. Setting the parameter to "strong"
-only allows AES-based algorithms to be negotiated. Setting the parameter to
-"legacy" allows only RC4-HMAC-MD5 - the legacy algorithm for Active Directory.
-This can solves some corner cases of mixed environments with Server 2003R2 and
-newer DCs.
-
-Printing
---------
-Support for uploading printer drivers from newer Windows clients (Windows 10)
-has been added until our implementation of [MS-PAR] protocol is ready.
-Several issues with uploading different printing drivers have been addressed.
-
-The OS Version for the printing server has been increased to announce
-Windows Server 2003 R2 SP2. If a driver needs a newer version then you should
-check the smb.conf manpage for details.
-
-new option for owner inheritance
---------------------------------
-The "inherit owner" smb.conf parameter instructs smbd to set the
-owner of files to be the same as the parent directory's owner.
-Up until now, this parameter could be set to "yes" or "no".
-A new option, "unix only", enables this feature only for the UNIX owner
-of the file, not affecting the SID owner in the Windows NT ACL of the
-file. This can be used to emulate something very similar to folder quotas.
-
-CTDB changes
-------------
-
-* "ctdb event" is a new top-level command for interacting with event scripts
- "ctdb event status" replaces "ctdb scriptstatus" - the latter is
- maintained for backward compatibility but the output format has been
- cleaned up
+net ads setspn
+---------------
- "ctdb event run" replaces "ctdb eventscript"
+There is a new 'net ads setspn' sub command for managing Windows SPN(s)
+on the AD. This command aims to give the basic functionaility that is
+provided on windows by 'setspn.exe' e.g. ability to add, delete and list
+Windows SPN(s) stored in a Windows AD Computer object.
- "ctdb event script enable" replaces "ctdb enablescript"
+The format of the command is:
- "ctdb event script disable" replaces "ctdb disablescript"
+net ads setspn list [machine]
+net ads setspn [add | delete ] SPN [machine]
- The new command "ctdb event script list" lists event scripts.
+'machine' is the name of the computer account on the AD that is to be managed.
+If 'machine' is not specified the name of the 'client' running the command
+is used instead.
-* CTDB's back-end for running event scripts has been replaced by a
- separate, long-running daemon ctdbd_eventd.
+The format of a Windows SPN is
+ 'serviceclass/host:port/servicename' (servicename and port are optional)
-* Running ctdb interactively will log to stderr
+serviceclass/host is generally sufficient to specify a host based service.
-* CTDB logs now include process id for each process
+net ads keytab changes
+----------------------
+net ads keytab add no longer attempts to convert the passed serviceclass
+(e.g. nfs, html etc.) into a Windows SPN which is added to the Windows AD
+computer object. By default just the keytab file is modified.
-* CTDB tags log messages differently. Changes include:
+A new keytab subcommand 'add_update_ads' has been added to preserve the
+legacy behaviour. However the new 'net ads setspn add' subcommand should
+really be used instead.
- ctdb-recoverd: Messages from CTDB's recovery daemon
- ctdb-recovery: Messages from CTDB database recovery
- ctdb-eventd: Messages from CTDB's event daemon
- ctdb-takeover: Messgaes from CTDB's public IP takeover subsystem
+net ads keytab create no longer tries to generate SPN(s) from existing
+entries in a keytab file. If it is required to add Windows SPN(s) then
+'net ads setspn add' should be used instead.
-* The mapping between symbolic and numeric debug levels has changed
+Local authorization plugin for MIT Kerberos
+-------------------------------------------
- Configurations containing numeric debug levels should be updated.
- Symbolic debug levels are recommended. See the DEBUG LEVEL section
- of ctdb(7) for details.
+This plugin controls the relationship between Kerberos principals and AD
+accounts through winbind. The module receives the Kerberos principal and the
+local account name as inputs and can then check if they match. This can resolve
+issues with canonicalized names returned by Kerberos within AD. If the user
+tries to log in as 'alice', but the samAccountName is set to ALICE (uppercase),
+Kerberos would return ALICE as the username. Kerberos would not be able to map
+'alice' to 'ALICE' in this case and auth would fail. With this plugin account
+names can be correctly mapped. This only applies to GSSAPI authentication,
+not for the geting the initial ticket granting ticket.
-* Tunable IPAllocAlgorithm replaces LCP2PublicIPs, DeterministicIPs
-
- See ctdb-tunables(7) for details
-
-* CTDB's configuration tunables should be consistently set across a cluster
+REMOVED FEATURES
+================
- This has always been the cases for most tunables but this fact is
- now documented.
-* CTDB ships with recovery lock helper call-outs for etcd and Ceph RADOS
- To build/install these, use the --enable-etcd-reclock and
- --enable-ceph-reclock configure options.
+smb.conf changes
+================
+As the most popular Samba install platforms (Linux and FreeBSD) both
+support extended attributes by default, the parameters "map readonly",
+"store dos attributes" and "ea support" have had their defaults changed
+to allow better Windows fileserver compatibility in a default install.
-REMOVED FEATURES
-================
+ Parameter Name Description Default
+ -------------- ----------- -------
+ map readonly Default changed no
+ store dos attributes Default changed yes
+ ea support Default changed yes
+VFS interface changes
+=====================
-smb.conf changes
-================
+The VFS ABI interface version has changed to 39. Function changes
+are:
- Parameter Name Description Default
- -------------- ----------- -------
- kerberos encryption types New all
- inherit owner New option
- fruit:resource Spelling correction
+SMB_VFS_FSYNC: Removed: Only async versions are used.
+SMB_VFS_READ: Removed: Only PREAD or async versions are used.
+SMB_VFS_WRITE: Removed: Only PWRITE or async versions are used.
+SMB_VFS_CHMOD_ACL: Removed: Only CHMOD is used.
+SMB_VFS_FCHMOD_ACL: Removed: Only FCHMOD is used.
+Any external VFS modules will need to be updated to match these
+changes in order to work with 4.9.x.
KNOWN ISSUES
============
-Currently none.
+https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.9#Release_blocking_bugs
+
#######################################
Reporting bugs & Development Discussion
git.samba.org / samba.git / blobdiff