Release Announcements
=====================
-This is the first preview release of Samba 4.7. This is *not*
+This is the first preview release of Samba 4.9. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
-Samba 4.7 will be the next version of the Samba suite.
+Samba 4.9 will be the next version of the Samba suite.
UPGRADING
=========
-smbclient changes
------------------
-smbclient no longer prints a 'Domain=[...] OS=[Windows 6.1] Server=[...]'
-banner when connecting to the first server. With SMB2 and Kerberos
-there's no way to print this information reliable. Now we avoid it at all
-consistently. In interactive session the following banner is now presented
-to the user: 'Try "help" do get a list of possible commands.'.
-
-The default for "client max protocol" has changed to "SMB3_11",
-which means that smbclient (and related commands) will work against
-servers without SMB1 support.
-
-It's possible to use the '-m/--max-protocol' option to overwrite
-the "client max protocol" option temporary.
+NEW FEATURES/CHANGES
+====================
-Note that the '-e/--encrypt' option also works with most SMB3 servers
-(e.g. Windows >= 2012 and Samba >= 4.0.0), so the SMB1 unix extensions
-are not required for encryption.
-The change to SMB3_11 as default also means smbclient no longer
-negotiates SMB1 unix extensions by default, when talking to a Samba server with
-"unix extensions = yes". As a result some commands are not available, e.g.
-posix_encrypt, posix_open, posix_mkdir, posix_rmdir, posix_unlink, posix_whoami,
-getfacl and symlink. Using "-mNT1" reenabled them, if the server supports SMB1.
+net ads setspn
+---------------
-Note the default ("CORE") for "client min protocol" hasn't changed,
-so it's still possible to connect to SMB1-only servers by default.
+There is a new 'net ads setspn' sub command for managing Windows SPN(s)
+on the AD. This command aims to give the basic functionaility that is
+provided on windows by 'setspn.exe' e.g. ability to add, delete and list
+Windows SPN(s) stored in a Windows AD Computer object.
+The format of the command is:
-NEW FEATURES/CHANGES
-====================
+net ads setspn list [machine]
+net ads setspn [add | delete ] SPN [machine]
-Whole DB read locks: Improved LDAP and replication consistency
---------------------------------------------------------------
+'machine' is the name of the computer account on the AD that is to be managed.
+If 'machine' is not specified the name of the 'client' running the command
+is used instead.
-Prior to Samba 4.7 and ldb 1.2.0, the LDB database layer used by Samba
-erronously did not take whole-DB read locks to protect search
-and DRS replication operations.
+The format of a Windows SPN is
+ 'serviceclass/host:port/servicename' (servicename and port are optional)
-While each object returned remained subject to a record-level lock (so
-would remain consistent to itself), under a race condition with a
-rename or delete, it and any links (like the member attribute) to it
-would not be returned.
+serviceclass/host is generally sufficient to specify a host based service.
-The symptoms of this issue include:
+net ads keytab changes
+----------------------
+net ads keytab add no longer attempts to convert the passed serviceclass
+(e.g. nfs, html etc.) into a Windows SPN which is added to the Windows AD
+computer object. By default just the keytab file is modified.
+
+A new keytab subcommand 'add_update_ads' has been added to preserve the
+legacy behaviour. However the new 'net ads setspn add' subcommand should
+really be used instead.
+
+net ads keytab create no longer tries to generate SPN(s) from existing
+entries in a keytab file. If it is required to add Windows SPN(s) then
+'net ads setspn add' should be used instead.
+
+Local authorization plugin for MIT Kerberos
+-------------------------------------------
+
+This plugin controls the relationship between Kerberos principals and AD
+accounts through winbind. The module receives the Kerberos principal and the
+local account name as inputs and can then check if they match. This can resolve
+issues with canonicalized names returned by Kerberos within AD. If the user
+tries to log in as 'alice', but the samAccountName is set to ALICE (uppercase),
+Kerberos would return ALICE as the username. Kerberos would not be able to map
+'alice' to 'ALICE' in this case and auth would fail. With this plugin account
+names can be correctly mapped. This only applies to GSSAPI authentication,
+not for the geting the initial ticket granting ticket.
+
+Database audit support
+----------------------
-Replication failures with this error showing in the client side logs:
- error during DRS repl ADD: No objectClass found in replPropertyMetaData for
- Failed to commit objects:
- WERR_GEN_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
+Changes to the Samba AD's sam.ldb database are now logged to Samba's debug log
+under the "dsdb_audit" debug class and "dsdb_json_audit" for JSON formatted log
+entries.
-A crash of the server, in particular the rpc_server process with
- INTERNAL ERROR: Signal 11
+Transaction commits and roll backs are now logged to Samba's debug logs under
+the "dsdb_transaction_audit" debug class and "dsdb_transaction_json_audit" for
+JSON formatted log entries.
-LDAP read inconsistency
- A DN subject to a search at the same time as it is being renamed
- may not appear under either the old or new name, but will re-appear
- for a subsequent search.
+Password change audit support
+-----------------------------
-See https://bugzilla.samba.org/show_bug.cgi?id=12858 for more details
-and updated advise on database recovery for affected installations.
+Password changes in the AD DC are now logged to Samba's debug logs under the
+"dsdb_password_audit" debug class and "dsdb_password_json_audit" for JSON
+formatted log entries.
+Group membership change audit support
+-------------------------------------
-Samba AD with MIT Kerberos
---------------------------
+Group membership changes on the AD DC are now logged to
+Samba's debug log under the "dsdb_group_audit" debug class and
+"dsdb_group_json_audit" for JSON formatted log entries.
-After four years of development, Samba finally supports compiling and
-running Samba AD with MIT Kerberos. You can enable it with:
+Log Authentication duration
+---------------------------
- ./configure --with-system-mitkrb5
+For NTLM and Kerberos KDC authentication, the authentication duration is now
+logged. Note that the duration is only included in the JSON formatted log
+entries.
-Samba requires version 1.15.1 of MIT Kerberos to build with AD DC support.
-The krb5-devel and krb5-server packages are required.
-The feature set is not on par with with the Heimdal build but the most important
-things, like forest and external trusts, are working. Samba uses the KDC binary
-provided by MIT Kerberos.
+New Experimental LMDB LDB backend
+---------------------------------
-Missing features, compared to Heimdal, are:
- * PKINIT support
- * S4U2SELF/S4U2PROXY support
- * RODC support (not fully working with Heimdal either)
+A new experimental LDB backend using LMBD is now available. This allows
+databases larger than 4Gb (Currently the limit is set to 6Gb, but this will be
+increased in a future release). To enable lmdb, provision or join a domain using
+the --backend-store=mdb option.
-The Samba AD process will take care of starting the MIT KDC and it will load a
-KDB (Kerberos Database) driver to access the Samba AD database. When
-provisioning an AD DC using 'samba-tool' it will take care of creating a correct
-kdc.conf file for the MIT KDC. Note that 'samba-tool' will overwrite the system
-kdc.conf by default. It is possible to use a different location during
-provision. You should consult the 'samba-tool' help and smb.conf manpage for
-details.
+This requires that a version of lmdb greater than 0.9.16 is installed and that
+samba has not been built with the --without-ldb-lmdb option.
-Dynamic RPC port range
-----------------------
+Please note this is an experimental feature and is not recommended for
+production deployments.
-The dynamic port range for RPC services has been changed from the old default
-value 1024-1300 to 49152-65535. This port range is not only used by a
-Samba AD DC but also applies to all other server roles including NT4-style
-domain controllers. The new value has been defined by Microsoft in Windows
-Server 2008 and newer versions. To make it easier for Administrators to control
-those port ranges we use the same default and make it configurable with the
-option: 'rpc server dynamic port range'.
-
-The 'rpc server port' option sets the first available port from the new
-'rpc server dynamic port range' option. The option 'rpc server port' only
-applies to Samba provisioned as an AD DC.
-
-Authentication and Authorization audit support
-----------------------------------------------
-
-Detailed authentication and authorization audit information is now
-logged to Samba's debug logs under the "auth_audit" debug class,
-including in particular the client IP address triggering the audit
-line. Additionally, if Samba is compiled against the jansson JSON
-library, a JSON representation is logged under the "auth_json_audit"
-debug class.
-
-Audit support is comprehensive for all authentication and
-authorisation of user accounts in the Samba Active Directory Domain
-Controller, as well as the implicit authentication in password
-changes. In the file server and classic/NT4 domain controller, NTLM
-authentication, SMB and RPC authorization is covered, however password
-changes are not at this stage, and this support is not currently
-backed by a testsuite.
-
-Multi-process LDAP Server
+Password Settings Objects
-------------------------
+Support has been added for Password Settings Objects (PSOs). This AD feature is
+also known as Fine-Grained Password Policies (FGPP).
-The LDAP server in the AD DC now honours the process model used for
-the rest of the samba process, rather than being forced into a single
-process. This aids in Samba's ability to scale to larger numbers of AD
-clients and the AD DC's overall resiliency, but will mean that there is a
-fork()ed child for every LDAP client, which may be more resource
-intensive in some situations.
-
-Improved Read-Only Domain Controller (RODC) Support
----------------------------------------------------
-
-Support for RODCs in Samba AD until now has been experimental. With this latest
-version, many of the critical bugs have been fixed and the RODC can be used in
-DC environments requiring no writable behaviour. RODCs now correctly support
-bad password lockouts and password disclosure auditing through the
-msDS-RevealedUsers attribute.
-
-The fixes made to the RWDC will also allow Windows RODC to function more
-correctly and to avoid strange data omissions such as failures to replicate
-groups or updated passwords. Password changes are currently rejected at the
-RODC, although referrals should be given over LDAP. While any bad passwords can
-trigger domain-wide lockout, good passwords which have not been replicated yet
-for a password change can only be used via NTLM on the RODC (and not Kerberos).
-
-The reliability of RODCs locating a writable partner still requires some
-improvements and so the 'password server' configuration option is generally
-recommended on the RODC.
-
-Additional password hashes stored in supplementalCredentials
-------------------------------------------------------------
+PSOs allow AD administrators to override the domain password policy settings
+for specific users, or groups of users. For example, PSOs can force certain
+users to have longer password lengths, or relax the complexity constraints for
+other users, and so on. PSOs can be applied to groups or to individual users.
+When multiple PSOs apply to the same user, essentially the PSO with the best
+precedence takes effect.
-A new config option 'password hash userPassword schemes' has been added to
-enable generation of SHA-256 and SHA-512 hashes (without storing the plaintext
-password with reversible encryption). This builds upon previous work to improve
-password sync for the AD DC (originally using GPG).
+PSOs can be configured and applied to users/groups using the 'samba-tool domain
+passwordsettings pso' set of commands.
-The user command of 'samba-tool' has been updated in order to be able to
-extract these additional hashes, as well as extracting the (HTTP) WDigest
-hashes that we had also been storing in supplementalCredentials.
-
-Improvements to DNS during Active Directory domain join
--------------------------------------------------------
+Domain backup and restore
+-------------------------
+A new samba-tool command has been added that allows administrators to create a
+backup-file of their domain DB. In the event of a catastrophic failure of the
+domain, this backup-file can be used to restore Samba services.
+
+The new 'samba-tool domain backup online' command takes a snapshot of the
+domain DB from a given DC. In the event of a catastrophic DB failure, all DCs
+in the domain should be taken offline, and the backup-file can then be used to
+recreate a fresh new DC, using the 'samba-tool domain backup restore' command.
+Once the backed-up domain DB has been restored on the new DC, other DCs can
+then subsequently be joined to the new DC, in order to repopulate the Samba
+network.
+
+Domain rename tool
+------------------
+Basic support has been added for renaming a Samba domain. The rename feature is
+designed for the following cases:
+1). Running a temporary alternate domain, in the event of a catastrophic
+failure of the regular domain. Using a completely different domain name and
+realm means that the original domain and the renamed domain can both run at the
+same time, without interfering with each other. This is an advantage over
+creating a regular 'online' backup - it means the renamed/alternate domain can
+provide core Samba network services, while trouble-shooting the fault on the
+original domain can be done in parallel.
+2). Creating a realistic lab domain or pre-production domain for testing.
+
+Note that the renamed tool is currently not intended to support a long-term
+rename of the production domain. Currently renaming the GPOs is not supported
+and would need to be done manually.
+
+The domain rename is done in two steps: first, the 'samba-tool domain backup
+rename' command will clone the domain DB, renaming it in the process, and
+producing a backup-file. Then, the 'samba-tool domain backup restore' command
+takes the backup-file and restores the renamed DB to disk on a fresh DC.
+
+New samba-tool options for diagnosing DRS replication issues
+------------------------------------------------------------
-The 'samba-tool' domain join command will now add the A and GUID DNS records
-(on both the local and remote servers) during a join if possible via RPC. This
-should allow replication to proceed more smoothly post-join.
+The 'samba-tool drs showrepl' command has two new options controlling
+the output. With --summary, the command says very little when DRS
+replication is working well. With --json, JSON is produced. These
+options are intended for human and machine audiences, respectively.
-The mname element of the SOA record will now also be dynamically generated to
-point to the local read-write server. 'samba_dnsupdate' should now be more
-reliable as it will now find the appropriate name server even when resolv.conf
-points to a forwarder.
+The 'samba-tool visualize uptodateness' visualizes replication lag as
+a heat-map matrix based on the DRS uptodateness vectors. This will
+show you if (but not why) changes are failing to replicate to some DCs.
-Significant AD performance and replication improvements
--------------------------------------------------------
+Automatic site coverage and GetDCName improvements
+--------------------------------------------------
-Previously, replication of group memberships was been an incredibly expensive
-process for the AD DC. This was mostly due to unnecessary CPU time being spent
-parsing member linked attributes. The database now stores these linked
-attributes in sorted form to perform efficient searches for existing members.
-In domains with a large number of group memberships, a join can now be
-completed in half the time compared with Samba 4.6.
+Samba's AD DC now automatically claims otherwise empty sites based on
+which DC is the nearest in the replication topology.
-LDAP search performance has also improved, particularly in the unindexed search
-case. Parsing and processing of security descriptors should now be more
-efficient, improving replication but also overall performance.
+This, combined with efforts to correctly identify the client side in
+the GetDCName Netlogon call will improve service to sites without a
+local DC.
-Query record for open file or directory
----------------------------------------
+Improved samba-tool computer command
+------------------------------------
-The record attached to an open file or directory in Samba can be
-queried through the 'net tdb locking' command. In clustered Samba this
-can be useful to determine the file or directory triggering
-corresponding "hot" record warnings in ctdb.
+The 'samba-tool computer' command allow manipulation of computer
+accounts including creating a new computer and resetting the password.
+This allows an 'offline join' of a member server or workstation to the
+Samba AD domain.
-Removal of lpcfg_register_defaults_hook()
------------------------------------------
+Samba performance tool now operates against Microsoft Windows AD
+----------------------------------------------------------------
-The undocumented and unsupported function lpcfg_register_defaults_hook()
-that was used by external projects to call into Samba and modify
-smb.conf default parameter settings has been removed. If your project
-was using this call please raise the issue on
-samba-technical@lists.samba.org in order to design a supported
-way of obtaining the same functionality.
+The Samba AD performance testing tool traffic_reply can now operate
+against a Windows based AD domain. Previously it only operated
+correctly against Samba.
-Change of loadable module interface
------------------------------------
+DNS entries are now cleaned up during DC demote
+-----------------------------------------------
-The _init function of all loadable modules in Samba has changed
-from:
+DNS records are now cleaned up as part of the 'samba-tool domain
+demote' including both the default and --remove-other-dead-server
+modes.
-NTSTATUS _init(void);
+Additionally DNS records can be automatically cleaned up for a given
+name with the 'samba-tool dns cleanup' command, which aids in cleaning
+up partially removed DCs.
-to:
+Samba now tested with CI GitLab
+-------------------------------
-NTSTATUS _init(TALLOC_CTX *);
+Samba developers now have pre-commit testing available in GitLab,
+giving reviewers confidence that the submitted patches pass a full CI
+before being submitted to the Samba Team's own autobuild system.
-This allows a program loading a module to pass in a long-lived
-talloc context (which must be guaranteed to be alive for the
-lifetime of the module). This allows modules to avoid use of
-the talloc_autofree_context() (which is inherently thread-unsafe)
-and still be valgrind-clean on exit. Modules that don't need to
-free long-lived data on exit should use the NULL talloc context.
-Parameter changes
------------------
+REMOVED FEATURES
+================
-The "strict sync" global parameter has been changed from
-a default of "no" to "yes". This means smbd will by default
-obey client requests to synchronize unwritten data in operating
-system buffers safely onto disk. This is a safer default setting
-for modern SMB1/2/3 clients.
-The 'ntlm auth' option default is renamed to 'ntlmv2-only', reflecting
-the previous behaviour. Two new values have been provided,
-'mschapv2-and-ntlmv2-only' (allowing MSCHAPv2 while denying NTLMv1)
-and 'disabled', totally disabling NTLM authentication and password
-changes.
smb.conf changes
================
+As the most popular Samba install platforms (Linux and FreeBSD) both
+support extended attributes by default, the parameters "map readonly",
+"store dos attributes" and "ea support" have had their defaults changed
+to allow better Windows fileserver compatibility in a default install.
+
Parameter Name Description Default
-------------- ----------- -------
- allow unsafe cluster upgrade New parameter no
- auth event notification New parameter no
- auth methods Deprecated
- client max protocol Effective SMB3_11
- default changed
- map untrusted to domain New value/ auto
- Default changed/
- Deprecated
- mit kdc command New parameter
- profile acls Deprecated
- rpc server dynamic port range New parameter 49152-65535
- strict sync Default changed yes
- password hash userPassword schemes New parameter
- ntlm auth New values ntlmv2-only
+ map readonly Default changed no
+ store dos attributes Default changed yes
+ ea support Default changed yes
+
+VFS interface changes
+=====================
+
+The VFS ABI interface version has changed to 39. Function changes
+are:
+
+SMB_VFS_FSYNC: Removed: Only async versions are used.
+SMB_VFS_READ: Removed: Only PREAD or async versions are used.
+SMB_VFS_WRITE: Removed: Only PWRITE or async versions are used.
+SMB_VFS_CHMOD_ACL: Removed: Only CHMOD is used.
+SMB_VFS_FCHMOD_ACL: Removed: Only FCHMOD is used.
+Any external VFS modules will need to be updated to match these
+changes in order to work with 4.9.x.
KNOWN ISSUES
============
-https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.7#Release_blocking_bugs
+https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.9#Release_blocking_bugs
#######################################
git.samba.org / samba.git / blobdiff