-What's new in Samba 4 alpha17
+What's new in Samba 4 alpha20
=============================
Samba 4.0 will be the next version of the Samba suite and incorporates
support for the Active Directory logon protocols used by Windows 2000
and above.
+SECURITY RELEASE
+================
+
+This is a security release in order to address CVE-2012-2111
+(Incorrect permission checks when granting/removing privileges can
+compromise file server security).
+
+o CVE-2012-2111:
+ Samba 3.4.x to 3.6.4 are affected by a
+ vulnerability that allows arbitrary users
+ to modify privileges on a file server.
+
+This is in regards to the smbd file server, which is shipped in Samba
+4.0 alpha. The AD DC is not directly impacted, as the LSA
+implementation differs.
+
WARNINGS
========
-Samba4 alpha17 is not a final Samba release, however we are now making
+Samba4 alpha20 is not a final Samba release, however we are now making
good progress towards a Samba 4.0 release, of which this is a preview.
Be aware the this release contains both the technology of Samba 3.6
(that you can reasonably expect to upgrade existing Samba 3.x releases
internal workings of the DC code is now implemented in python.
-CHANGES SINCE alpha16
+CHANGES SINCE alpha19
=====================
-For a list of changes since alpha 15, please see the git log.
+For a list of changes since alpha 19, please see the git log.
$ git clone git://git.samba.org/samba.git
$ cd samba.git
-$ git log release-4-0-0alpha16..release-4-0-0alpha17
+$ git log samba-4.0.0alpha19..samba-4.0.0alpha20
Some major user-visible changes include:
-samba-tool dbcheck
-------------------
-
-We now have an fsck-like tool for Samba's internal sam.ldb database.
-Run samba-tool dbcheck after installation to check your database for
-self-consistency. Any database created with a previous Samba4 alpha
-will have a very large number of consistency errors, which this tool
-can fix.
+Improvements to the 'samba-tool domain samba3upgrade' and
+samba_upgradedns tools
-See also the -H option to point dbcheck at a different database to the
-default, and the --fix and --yes options to make changes and to not
-prompt about those changes.
+Stability improvements in the Samba4 winbind implementation (that
+used in the AD DC mode).
-After upgrading Samba, it is suggested that you do the following:
+The BIND 9 DLZ plugin is now compatible with both BIND 9.8, and BIND 9.9.
- - stop samba
- - take a backup copy of your sam.ldb and sam.ldb.d/* database files
- - run samba-tool dbcheck --cross-ncs --fix
- - use 'all' to say yes to fixing each type of error found
- - after it has finished, run dbcheck again to ensure it reports no
- errors
+dbcheck and runtime protection for the fSMORoleOwner attribute. This
+allows us to recover from a situation where the fSMORoleOwner is
+deleted.
-There will be a lot of errors fixed, particularly related to
-bad/missing GUID values. This is due to a bug in previous releases
-that left many objects with bad GUID values. These can all be fixed
-using dbcheck with steps above.
+Support for storing the posixAccount and other auxiliary objectClass
+values (the values are not used by Samba as an AD DC at this stage,
+but may be used by clients).
-New default paths
------------------
+Some major but less visible changes include:
-The configure options for paths have changed again, and the
---enable-fhs option has been reinstated. Packagers should attempt to
-first package Samba using:
+Continued early implementation work on the SMB 2.2 protocol client and server as
+the team improves and develops support these new protocols.
-./configure --enable-fhs --prefix=/usr --sysconfdir=/etc --localstatedir=/var
+Initial work to build Samba using MIT kerberos in the top level waf
+build system. This is not complete at this time, but good progress is
+being made.
-and only after examining the location Samba uses with these options
-should further changes be made. Existing packaging scripts are not
-expected to work unmodified, instead the Samba Team's aim is to
-simplify such scripts for the long term.
-
-samba-tool domain samba3upgrade
--------------------------------
-
-The new samba-tool domain samba3upgrade command is a supported upgrade route from Samba
-3.x domain controllers to Samba 4.0 AD domain controllers. This
-provides a one-time migration of all users, domain members, passwords,
-groups, group members and account polcies.
-
-This tool is still under development and may fail when presented with
-an inconsistant Samba3 database (such as many LDAP configurations).
-We hope to improve the error handling and recovery in these
-situations, so please provide feedback using the samba-technical
-mailing list.
KNOWN ISSUES
============
+- upgradeprovision should not be run when upgrading to this release
+ from a recent release. No important database format changes have
+ been made since alpha16.
+
- Installation on systems without a system iconv (and developer
headers at compile time) is known to cause errors when dealing with
non-ASCII characters.
- In some situations, group members may not be upgraded by the
- samba-tool domain upgrade_from_s3 script
-
-- The samba-tool domain join script will not join Windows 2000 domains.
+ samba-tool domain samba3upgrade tool
- Domain member support in the 'samba' binary is in it's infancy, and
is not comparable to the support found in winbindd. As such, do not