Release Announcements
=====================
-This is the first preview release of Samba 4.9. This is *not*
+This is the first preview release of Samba 4.11. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
-Samba 4.9 will be the next version of the Samba suite.
+Samba 4.11 will be the next version of the Samba suite.
UPGRADING
NEW FEATURES/CHANGES
====================
+Default samba process model
+---------------------------
-net ads setspn
----------------
+The default for the --model argument passed to the samba executable has changed
+from 'standard' to 'prefork'. This means a difference in the number of samba
+child processes that are created to handle client connections. The previous
+default would create a separate process for every LDAP or NETLOGON client
+connection. For a network with a lot of persistent client connections, this
+could result in significant memory overhead. Now, with the new default of
+'prefork', the LDAP, NETLOGON, and KDC services will create a fixed number of
+worker processes at startup and share the client connections amongst these
+workers. The number of worker processes can be configured by the 'prefork
+children' setting in the smb.conf (the default is 4).
-There is a new 'net ads setspn' sub command for managing Windows SPN(s)
-on the AD. This command aims to give the basic functionality that is
-provided on windows by 'setspn.exe' e.g. ability to add, delete and list
-Windows SPN(s) stored in a Windows AD Computer object.
+Authentication Logging.
+-----------------------
-The format of the command is:
+Winbind now logs PAM_AUTH and NTLM_AUTH events, a new attribute "logonId" has
+been added to the Authentication JSON log messages. This contains a random
+logon id that is generated for each PAM_AUTH and NTLM_AUTH request and is passed
+to SamLogon, linking the windbind and SamLogon requests.
-net ads setspn list [machine]
-net ads setspn [add | delete ] SPN [machine]
+The serviceDescription of the messages is set to "winbind", the authDescription
+is set to one of:
+ "PASSDB, <command>, <pid>"
+ "PAM_AUTH, <command>, <pid>"
+ "NTLM_AUTH, <command>, <pid>"
+where:
+ <command> is the name of the command makinmg the winbind request i.e. wbinfo
+ <pid> is the process id of the requesting process.
-'machine' is the name of the computer account on the AD that is to be managed.
-If 'machine' is not specified the name of the 'client' running the command
-is used instead.
+The version of the JSON Authentication messages has been changed to 1.2 from 1.1
-The format of a Windows SPN is
- 'serviceclass/host:port/servicename' (servicename and port are optional)
+LDAP referrals
+--------------
-serviceclass/host is generally sufficient to specify a host based service.
+The scheme of returned LDAP referrals now reflects the scheme of the original
+request, i.e. referrals received via ldap are prefixed with "ldap://"
+and those over ldaps are prefixed with "ldaps://"
-net ads keytab changes
-----------------------
-net ads keytab add no longer attempts to convert the passed serviceclass
-(e.g. nfs, html etc.) into a Windows SPN which is added to the Windows AD
-computer object. By default just the keytab file is modified.
+Previously all referrals were prefixed with "ldap://"
-A new keytab subcommand 'add_update_ads' has been added to preserve the
-legacy behaviour. However the new 'net ads setspn add' subcommand should
-really be used instead.
+Bind9 logging
+-------------
-net ads keytab create no longer tries to generate SPN(s) from existing
-entries in a keytab file. If it is required to add Windows SPN(s) then
-'net ads setspn add' should be used instead.
+It is now possible to log the duration of DNS operations performed by Bind9
+This should aid future diagnosis of performance issues, and could be used to
+monitor DNS performance. The logging is enabled by setting log level to
+"dns:10" in smb.conf
-Local authorization plugin for MIT Kerberos
--------------------------------------------
+The logs are currently Human readable text only, i.e. no JSON formatted output.
-This plugin controls the relationship between Kerberos principals and AD
-accounts through winbind. The module receives the Kerberos principal and the
-local account name as inputs and can then check if they match. This can resolve
-issues with canonicalized names returned by Kerberos within AD. If the user
-tries to log in as 'alice', but the samAccountName is set to ALICE (uppercase),
-Kerberos would return ALICE as the username. Kerberos would not be able to map
-'alice' to 'ALICE' in this case and auth would fail. With this plugin account
-names can be correctly mapped. This only applies to GSSAPI authentication,
-not for the getting the initial ticket granting ticket.
+Log lines are of the form:
-VFS audit modules
------------------
+ <function>: DNS timing: result: [<result>] duration: (<duration>)
+ zone: [<zone>] name: [<name>] data: [<data>]
-The vfs_full_audit module has changed it's default set of monitored successful
-and failed operations from "all" to "none". That helps to prevent potential
-denial of service caused by simple addition of the module to the VFS objects.
+ durations are in microseconds.
-Also, modules vfs_audit, vfs_ext_audit and vfs_full_audit now accept any valid
-syslog(3) facility, in accordance with the manual page.
+Default schema updated to 2012_R2
+---------------------------------
-Database audit support
-----------------------
+Default AD schema changed from 2008_R2 to 2012_R2. 2012_R2 functional level
+is not yet available. Older schemas can be used by provisioning with the
+'--base-schema' argument. Existing installations can be updated with the
+samba-tool command "domain schemaupgrade".
-Changes to the Samba AD's sam.ldb database are now logged to Samba's debug log
-under the "dsdb_audit" debug class and "dsdb_json_audit" for JSON formatted log
-entries.
+Samba's replication code has also been improved to handle replication
+with the 2012 schema (the core of this replication fix has also been
+backported to 4.9.11 and will be in a 4.10.x release).
-Transaction commits and roll backs are now logged to Samba's debug logs under
-the "dsdb_transaction_audit" debug class and "dsdb_transaction_json_audit" for
-JSON formatted log entries.
+GnuTLS 3.2 required
+-------------------
-Password change audit support
------------------------------
+Samba is making efforts to remove in-tree cryptographic functionality,
+and to instead rely on externally maintained libraries. To this end,
+Samba has chosen GnuTLS as our standard cryptographic provider.
-Password changes in the AD DC are now logged to Samba's debug logs under the
-"dsdb_password_audit" debug class and "dsdb_password_json_audit" for JSON
-formatted log entries.
+Samba now requires GnuTLS 3.2 to be installed (including development
+headers at build time) for all configurations, not just the Samba AD
+DC.
-Group membership change audit support
--------------------------------------
+NOTE WELL: The use of GnuTLS means that Samba will honour the
+system-wide 'FIPS mode' (a reference to the US FIPS-140 cryptographic
+standard) and so will not operate in many still common situations if
+this system-wide parameter is in effect, as many of our protocols rely
+on outdated cryptography.
-Group membership changes on the AD DC are now logged to
-Samba's debug log under the "dsdb_group_audit" debug class and
-"dsdb_group_json_audit" for JSON formatted log entries.
+A future Samba version will mitigate this to some extent where good
+cryptography effectively wraps bad cryptography, but for now that above
+applies.
-Log Authentication duration
----------------------------
+samba-tool improvements
+-----------------------
-For NTLM and Kerberos KDC authentication, the authentication duration is now
-logged. Note that the duration is only included in the JSON formatted log
-entries.
+A new "samba-tool contact" command has been added to allow the
+command-line manipulation of contacts, as used for address book
+lookups in LDAP.
-New Experimental LMDB LDB backend
----------------------------------
+The "samba-tool [user|group|computer|group|contact] edit" command has been
+improved to operate more pleasantly on international character sets.
-A new experimental LDB backend using LMDB is now available. This allows
-databases larger than 4Gb (Currently the limit is set to 6Gb, but this will be
-increased in a future release). To enable lmdb, provision or join a domain using
-the --backend-store=mdb option.
-
-This requires that a version of lmdb greater than 0.9.16 is installed and that
-samba has not been built with the --without-ldb-lmdb option.
-
-Please note this is an experimental feature and is not recommended for
-production deployments.
-
-Password Settings Objects
--------------------------
-Support has been added for Password Settings Objects (PSOs). This AD feature is
-also known as Fine-Grained Password Policies (FGPP).
-
-PSOs allow AD administrators to override the domain password policy settings
-for specific users, or groups of users. For example, PSOs can force certain
-users to have longer password lengths, or relax the complexity constraints for
-other users, and so on. PSOs can be applied to groups or to individual users.
-When multiple PSOs apply to the same user, essentially the PSO with the best
-precedence takes effect.
-
-PSOs can be configured and applied to users/groups using the 'samba-tool domain
-passwordsettings pso' set of commands.
-
-Domain backup and restore
--------------------------
-A new samba-tool command has been added that allows administrators to create a
-backup-file of their domain DB. In the event of a catastrophic failure of the
-domain, this backup-file can be used to restore Samba services.
-
-The new 'samba-tool domain backup online' command takes a snapshot of the
-domain DB from a given DC. In the event of a catastrophic DB failure, all DCs
-in the domain should be taken offline, and the backup-file can then be used to
-recreate a fresh new DC, using the 'samba-tool domain backup restore' command.
-Once the backed-up domain DB has been restored on the new DC, other DCs can
-then subsequently be joined to the new DC, in order to repopulate the Samba
-network.
-
-Domain rename tool
-------------------
-Basic support has been added for renaming a Samba domain. The rename feature is
-designed for the following cases:
-1). Running a temporary alternate domain, in the event of a catastrophic
-failure of the regular domain. Using a completely different domain name and
-realm means that the original domain and the renamed domain can both run at the
-same time, without interfering with each other. This is an advantage over
-creating a regular 'online' backup - it means the renamed/alternate domain can
-provide core Samba network services, while trouble-shooting the fault on the
-original domain can be done in parallel.
-2). Creating a realistic lab domain or pre-production domain for testing.
-
-Note that the renamed tool is currently not intended to support a long-term
-rename of the production domain. Currently renaming the GPOs is not supported
-and would need to be done manually.
-
-The domain rename is done in two steps: first, the 'samba-tool domain backup
-rename' command will clone the domain DB, renaming it in the process, and
-producing a backup-file. Then, the 'samba-tool domain backup restore' command
-takes the backup-file and restores the renamed DB to disk on a fresh DC.
-
-New samba-tool options for diagnosing DRS replication issues
-------------------------------------------------------------
-
-The 'samba-tool drs showrepl' command has two new options controlling
-the output. With --summary, the command says very little when DRS
-replication is working well. With --json, JSON is produced. These
-options are intended for human and machine audiences, respectively.
-
-The 'samba-tool visualize uptodateness' visualizes replication lag as
-a heat-map matrix based on the DRS uptodateness vectors. This will
-show you if (but not why) changes are failing to replicate to some DCs.
-
-Automatic site coverage and GetDCName improvements
---------------------------------------------------
-
-Samba's AD DC now automatically claims otherwise empty sites based on
-which DC is the nearest in the replication topology.
-
-This, combined with efforts to correctly identify the client side in
-the GetDCName Netlogon call will improve service to sites without a
-local DC.
-
-Improved samba-tool computer command
-------------------------------------
-
-The 'samba-tool computer' command allow manipulation of computer
-accounts including creating a new computer and resetting the password.
-This allows an 'offline join' of a member server or workstation to the
-Samba AD domain.
-
-Samba performance tool now operates against Microsoft Windows AD
-----------------------------------------------------------------
-
-The Samba AD performance testing tool traffic_reply can now operate
-against a Windows based AD domain. Previously it only operated
-correctly against Samba.
-
-DNS entries are now cleaned up during DC demote
------------------------------------------------
-
-DNS records are now cleaned up as part of the 'samba-tool domain
-demote' including both the default and --remove-other-dead-server
-modes.
-
-Additionally DNS records can be automatically cleaned up for a given
-name with the 'samba-tool dns cleanup' command, which aids in cleaning
-up partially removed DCs.
-
-Samba now tested with CI GitLab
+100,000 USER and LARGER Samba AD DOMAINS
+========================================
+
+Extensive efforts have been made to optimise Samba for use in
+organisations (for example) targeting 100,000 users, plus 120,000
+computer objects, as well as large number of group memberships.
+
+Many of the specific efforts are detailed below, but the net results
+is to remove barriers to significantly larger Samba deployments
+compared to previous releases.
+
+Reindex performance improvements
+--------------------------------
+
+The performance of samba-tool dbcheck --reindex has been improved,
+especially for large domains.
+
+join performance improvements
+-----------------------------
+
+The performance of samba-tool domain join has been improved,
+especially for large domains.
+
+LDAP Server memory improvements
-------------------------------
-Samba developers now have pre-commit testing available in GitLab,
-giving reviewers confidence that the submitted patches pass a full CI
-before being submitted to the Samba Team's own autobuild system.
+The LDAP server has improved memory efficiency, ensuring that large
+LDAP responses (for example a search for all objects) is not copied
+multiple times into memory.
+
+Setting lmdb map size
+---------------------
+
+It is now possible to set the lmdb map size (The maximum permitted
+size for the database). "samba-tool" now accepts the
+"--backend-store-size" i.e. --backend-store-size=4Gb. If not
+specified it defaults to 8Gb.
+
+This option is avaiable for the following sub commands:
+ * domain provision
+ * domain join
+ * domain dcpromo
+ * drs clone-dc-database
+
+LDB "batch_mode"
+----------------
-Dynamic DNS record scavenging support
--------------------------------------
+To improve performance during batch operations i.e. joins, ldb now
+accepts a "batch_mode" option. However to prevent any index or
+database inconsistencies if an operation fails, the entire transaction
+will be aborted at commit.
-It is now possible to enable scavenging of DNS Zones to remove DNS
-records that were dynamically created and have not been touched in
-some time.
+New LDB pack format
+-------------------
-This support should however only be enabled on new zones or new
-installations. Sadly old Samba versions suffer from BUG 12451 and
-mark dynamic DNS records as static and static records as dynamic.
-While a dbcheck rule may be able to find these in the future,
-currently a reliable test has not been devised.
+On first use (startup of 'samba' or the first transaction write)
+Samba's sam.ldb will be updated to a new more efficient pack format.
+This will take a few moments.
-Finally, there is not currently a command-line tool to enable this
-feature, currently it should be enabled from the DNS Manager tool from
-Windows. Also the feature needs to have been enabled by setting the smb.conf
-parameter "dns zone scavenging = yes".
+New LDB <= and >= index mode to improve replication performance
+---------------------------------------------------------------
+
+As well as a new pack format, Samba's sam.ldb uses a new index format
+allowing Samba to efficiently select objects changed since the last
+replication cycle. This in turn improves performance during
+replication of large domains.
+
+Improvements to ldb search performance
+--------------------------------------
+
+Search performance on large LDB databases has been improved by
+reducing memory allocations made on each object.
+
+Improvements to subtree rename performance
+------------------------------------------
+
+Improvements have been made to Samba's handling of subtree renames,
+for example of containers and organisational units, however large
+renames are still not recommended.
+
+CTDB changes
+============
+
+* nfs-linux-kernel-callout now defaults to using systemd service names
+
+ The Red Hat service names continue to be the default.
+
+ Other distributions should patch this file when packaging it.
+
+* The onnode -o option has been removed
+
+* ctdbd logs when it is using more than 90% of a CPU thread
+
+ ctdbd is single threaded, so can become saturated if it uses the
+ full capacity of a CPU thread. To help detect this situation, ctdbd
+ now logs messages when CPU utilisation exceeds 90%. Each change in
+ CPU utilisation over 90% is logged. A message is also logged when
+ CPU utilisation drops below the 90% threshold.
+
+* Script configuration variable CTDB_MONITOR_SWAP_USAGE has been removed
+
+ 05.system.script now monitors total memory (i.e. physical memory +
+ swap) utilisation using the existing CTDB_MONITOR_MEMORY_USAGE
+ script configuration variable.
REMOVED FEATURES
================
+Web server
+----------
+As a leftover from work related to the Samba Web Administration Tool (SWAT),
+Samba still supported a Python WSGI web server (which could still be turned on
+from the 'server services' smb.conf parameter). This service was unused and has
+now been removed from Samba.
-smb.conf changes
-================
-As the most popular Samba install platforms (Linux and FreeBSD) both
-support extended attributes by default, the parameters "map readonly",
-"store dos attributes" and "ea support" have had their defaults changed
-to allow better Windows fileserver compatibility in a default install.
+samba-tool join subdommain
+--------------------------
- Parameter Name Description Default
- -------------- ----------- -------
- map readonly Default changed no
- store dos attributes Default changed yes
- ea support Default changed yes
- full_audit:success Default changed none
- full_audit:failure Default changed none
+The subdommain role has been removed from the join command. This option did
+not work and has no tests.
-VFS interface changes
-=====================
-The VFS ABI interface version has changed to 39. Function changes
-are:
+Python2 support
+---------------
+
+Samba 4.11 will not have any runtime support for Python 2.
+
+If you are building Samba using the '--disable-python' option
+(i.e. you're excluding all the run-time Python support), then this
+will continue to work on a system that supports either python2 or
+python3.
+
+To build Samba with python2 you *must* set the 'PYTHON' environment
+variable for both the 'configure' and 'make' steps, i.e.
+ 'PYTHON=python2 ./configure'
+ 'PYTHON=python2 make'
+This will override the python3 default.
+
+Except for this specific build-time use of python2, Samba now requires
+Python 3.4 as a minimum.
+
+smb.conf changes
+================
+
+ Parameter Name Description Default
+ -------------- ----------- -------
-SMB_VFS_FSYNC: Removed: Only async versions are used.
-SMB_VFS_READ: Removed: Only PREAD or async versions are used.
-SMB_VFS_WRITE: Removed: Only PWRITE or async versions are used.
-SMB_VFS_CHMOD_ACL: Removed: Only CHMOD is used.
-SMB_VFS_FCHMOD_ACL: Removed: Only FCHMOD is used.
+ web port Removed
+ fruit:zero_file_id Changed default False
-Any external VFS modules will need to be updated to match these
-changes in order to work with 4.9.x.
KNOWN ISSUES
============
-https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.9#Release_blocking_bugs
+https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.11#Release_blocking_bugs
#######################################
git.samba.org / samba.git / blobdiff