Release Announcements
=====================
-This is the first preview release of Samba 4.8. This is *not*
+This is the first preview release of Samba 4.11. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
-Samba 4.8 will be the next version of the Samba suite.
+Samba 4.11 will be the next version of the Samba suite.
UPGRADING
NEW FEATURES/CHANGES
====================
-Using x86_64 Accelerated AES Crypto Instructions
-================================================
+Default samba process model
+---------------------------
-Samba on x86_64 can now be configured to use the Intel accelerated AES
-instruction set, which has the potential to make SMB3 signing and
-encryption much faster on client and server. To enable this, configure
-Samba using the new option --accel-aes=intelaesni.
+The default for the --model argument passed to the samba executable has changed
+from 'standard' to 'prefork'. This means a difference in the number of samba
+child processes that are created to handle client connections. The previous
+default would create a separate process for every LDAP or NETLOGON client
+connection. For a network with a lot of persistent client connections, this
+could result in significant memory overhead. Now, with the new default of
+'prefork', the LDAP, NETLOGON, and KDC services will create a fixed number of
+worker processes at startup and share the client connections amongst these
+workers. The number of worker processes can be configured by the 'prefork
+children' setting in the smb.conf (the default is 4).
-This is a temporary solution that is being included to allow users
-to enjoy the benefits of Intel accelerated AES on the x86_64 platform,
-but the longer-term solution will be to move Samba to a fully supported
-external crypto library.
+Authentication Logging.
+-----------------------
-The third_party/aesni-intel code will be removed from Samba as soon as
-external crypto library performance reaches parity.
+Winbind now logs PAM_AUTH and NTLM_AUTH events, a new attribute "logonId" has
+been added to the Authentication JSON log messages. This contains a random
+logon id that is generated for each PAM_AUTH and NTLM_AUTH request and is passed
+to SamLogon, linking the windbind and SamLogon requests.
-The default is to build without setting --accel-aes, which uses the
-existing Samba software AES implementation.
+The serviceDescription of the messages is set to "winbind", the authDescription
+is set to one of:
+ "PASSDB, <command>, <pid>"
+ "PAM_AUTH, <command>, <pid>"
+ "NTLM_AUTH, <command>, <pid>"
+where:
+ <command> is the name of the command makinmg the winbind request i.e. wbinfo
+ <pid> is the process id of the requesting process.
-KDC GPO application
--------------------
+The version of the JSON Authentication messages has been changed to 1.2 from 1.1
-Adds Group Policy support for the samba kdc. Applies password policies
-(minimum/maximum password age, minimum password length, and password
-complexity) and kerberos policies (user/service ticket lifetime and
-renew lifetime).
-Adds the samba_gpoupdate script for applying and unapplying
-policy. Can be applied automatically by setting
- 'server services = +gpoupdate'.
-
-smb.conf changes
+REMOVED FEATURES
================
- Parameter Name Description Default
- -------------- ----------- -------
- oplock contention limit Removed
-
-NT4-style replication based net commands removed
-================================================
-
-The following commands and sub-commands have been removed from the
-"net" utility:
+Web server
+----------
-net rpc samdump
-net rpc vampire ldif
+As a leftover from work related to the Samba Web Administration Tool (SWAT),
+Samba still supported a Python WSGI web server (which could still be turned on
+from the 'server services' smb.conf parameter). This service was unused and has
+now been removed from Samba.
-Also, replicating from a real NT4 domain with "net rpc vampire" and
-"net rpc vampire keytab" has been removed.
-The NT4-based commands were accidentially broken in 2013, and nobody
-noticed the breakage. So instead of fixing them including tests (which
-would have meant writing a server for the protocols, which we don't
-have) we decided to remove them.
-
-For the same reason, the "samsync", "samdeltas" and "database_redo"
-commands have been removed from rpcclient.
+smb.conf changes
+================
-"net rpc vampire keytab" from Active Directory domains continues to be
-supported.
+ Parameter Name Description Default
+ -------------- ----------- -------
-vfs_aio_linux module removed
-============================
+ web port Removed
-The current Linux kernel aio does not match what Samba would
-do. Shipping code that uses it leads people to false
-assumptions. Samba implements async I/O based on threads by default,
-there is no special module required to see benefits of read and write
-request being sent do the disk in parallel.
KNOWN ISSUES
============
-https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.8#Release_blocking_bugs
+https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.11#Release_blocking_bugs
#######################################