'mdns name = mdns'
+Encrypted secrets
+=================
+Attributes deemed to be sensitive are now encrypted on disk. The sensitive
+values are currently:
+ pekList
+ msDS-ExecuteScriptPassword
+ currentValue
+ dBCSPwd
+ initialAuthIncoming
+ initialAuthOutgoing
+ lmPwdHistory
+ ntPwdHistory
+ priorValue
+ supplementalCredentials
+ trustAuthIncoming
+ trustAuthOutgoing
+ unicodePwd
+ clearTextPassword
+
+This encryption is enabled by default on a new provision or join, it
+can be disabled at provision or join time with the new option
+--plaintext-secrets.
+
+However, an in-place upgrade will not encrypt the database.
+
+Once encrypted, it is not possible to do an in-place downgrade (eg to
+4.7) of the database. To obtain an unencrypted copy of the database a
+new DC join should be performed, specifying the --plaintext-secrets
+option.
+
+The key file "encrypted_secrets.key" is created in the same directory
+as the database and should NEVER be disclosed. It is included by the
+samba_backup script.
smb.conf changes
================
Parameter Name Description Default
-------------- ----------- -------
- binddns dir New
- gpo update command New
+ auth methods Removed
+ binddns dir New
+ client schannel Default changed/ yes
+ Deprecated
+ gpo update command New
+ ldap ssl ads Deprecated
+ map untrusted to domain Removed
oplock contention limit Removed
- prefork children New 1
+ prefork children New 1
mdns name Added netbios
fruit:time machine Added false
+ profile acls Removed
+ use spnego Removed
+ server schannel Default changed/ yes
+ Deprecated
+ unicode Deprecated
+ winbind scan trusted domains New yes
+ winbind trusted domains only Removed
+
NT4-style replication based net commands removed
================================================
'symlink' command. The usage message for this command has also
been improved to remove confusion.
+Winbind changes
+---------------
+
+The dependency to global list of trusted domains within
+the winbindd processes has been reduced a lot.
+
+The construction of that global list is not reliable and often
+incomplete in complex trust setups. In most situations the list is not needed
+any more for winbindd to operate correctly. E.g. for plain file serving via SMB
+using a simple idmap setup with autorid, tdb or ad. However some more complex
+setups require the list, e.g. if you specify idmap backends for specific
+domains. Some pam_winbind setups may also require the global list.
+
+If you have a setup that doesn't require the global list, you should set
+"winbind scan trusted domains = no".
+
REMOVED FEATURES
================