mirror of
https://github.com/samba-team/samba.git
synced 2024-12-24 21:34:56 +03:00
b11697be1e
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
361 lines
12 KiB
Plaintext
361 lines
12 KiB
Plaintext
Release Announcements
|
|
=====================
|
|
|
|
This is the first preview release of Samba 4.5. This is *not*
|
|
intended for production environments and is designed for testing
|
|
purposes only. Please report any defects via the Samba bug reporting
|
|
system at https://bugzilla.samba.org/.
|
|
|
|
Samba 4.5 will be the next version of the Samba suite.
|
|
|
|
|
|
UPGRADING
|
|
=========
|
|
|
|
NTLMv1 authentication disabled by default
|
|
-----------------------------------------
|
|
|
|
In order to improve security we have changed
|
|
the default value for the "ntlm auth" option from
|
|
"yes" to "no". This may have impact on very old
|
|
client which doesn't support NTLMv2 yet.
|
|
|
|
The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.
|
|
|
|
By default Samba will only allow NTLMv2 via NTLMSSP now,
|
|
as we have the following default "lanman auth = no",
|
|
"ntlm auth = no" and "raw NTLMv2 auth = no".
|
|
|
|
|
|
NEW FEATURES/CHANGES
|
|
====================
|
|
|
|
Support for LDAP_SERVER_NOTIFICATION_OID
|
|
----------------------------------------
|
|
|
|
The ldap server has support for the LDAP_SERVER_NOTIFICATION_OID
|
|
control. This can be used to monitor the active directory database
|
|
for changes.
|
|
|
|
KCC improvements for sparse network replication
|
|
-----------------------------------------------
|
|
|
|
The Samba KCC will now be the default knowledge consistency checker in
|
|
Samba AD. Instead of using full mesh replication between every DC, the
|
|
KCC will set up connections to optimize replication latency and cost
|
|
(using site links to calculate the routes). This change should allow
|
|
larger domains to function significantly better in terms of replication
|
|
traffic and the time spent performing DRS replication.
|
|
|
|
VLV - Virtual List View
|
|
-----------------------
|
|
|
|
The VLV Control allows applications to page the LDAP directory in the
|
|
way you might expect a live phone book application to operate, without
|
|
first downloading the entire directory.
|
|
|
|
DRS Replication for the AD DC
|
|
-----------------------------
|
|
|
|
DRS Replication in Samba 4.5 is now much more efficient in handling
|
|
linked attributes, particularly in large domains with over 1000 group
|
|
memberships or other links.
|
|
|
|
Replication is also much more reliable in the handling of tree
|
|
renames, such as the rename of an organizational unit containing many
|
|
users. Extensive tests have been added to ensure this code remains
|
|
reliable, particularly in the case of conflicts between objects added
|
|
with the same name on different servers.
|
|
|
|
Schema updates are also handled much more reliably.
|
|
|
|
samba-tool drs replicate with new options
|
|
-----------------------------------------
|
|
|
|
samba-tool drs replicate got two new options:
|
|
|
|
The option '--local-online' will do the DsReplicaSync() via IRPC
|
|
to the local dreplsrv service.
|
|
|
|
The option '--async-op' will add DRSUAPI_DRS_ASYNC_OP to the
|
|
DsReplicaSync(), which won't wait for the replication result.
|
|
|
|
replPropertyMetaData Changes
|
|
----------------------------
|
|
|
|
During the development of the DRS replication, tests showed that Samba
|
|
stores the replPropertyMetaData object incorrectly. To address this,
|
|
be aware that dbcheck will now detect and offer to fix all objects in
|
|
the domain for this error.
|
|
|
|
Linked attributes on deleted objects
|
|
------------------------------------
|
|
|
|
In Active Directory, an object that has been tombstoned or recycled
|
|
has no linked attributes. However, Samba incorrectly maintained such
|
|
links, slowing replication and run-time performance. dbcheck now
|
|
offers to remove such links, and they are no longer kept after the
|
|
object is tombstoned or recycled.
|
|
|
|
Improved AD DC performance
|
|
--------------------------
|
|
|
|
Many other improvements have been made to our LDAP database layer in
|
|
the AD DC, to improve performance, both during samba-tool domain
|
|
provision and at runtime.
|
|
|
|
Other dbcheck improvements
|
|
--------------------------
|
|
|
|
- samba-tool dbcheck can now find and fix a missing or corrupted
|
|
'deleted objects' container.
|
|
- BUG 11433: samba-dbcheck no longer offers to resort auxiliary class values
|
|
in objectClass as these were then re-sorted at the next dbcheck indefinitely.
|
|
|
|
Tombstone Reanimation
|
|
---------------------
|
|
|
|
Samba now supports tombstone reanimation, a feature in the AD DC
|
|
allowing tombstones, that is objects which have been deleted, to be
|
|
restored with the original SID and GUID still in place.
|
|
|
|
Multiple DNS Forwarders on the AD DC
|
|
------------------------------------
|
|
|
|
Multiple DNS forwarders are now supported on the AD DC, allowing
|
|
samba to fall back between two different DNS servers for forwarded queries.
|
|
|
|
Password quality plugin support in the AD DC
|
|
--------------------------------------------
|
|
|
|
The check password script now operates correctly in the AD DC (this
|
|
was silently ignored in past releases)
|
|
|
|
pwdLastSet is now correctly honoured
|
|
------------------------------------
|
|
|
|
BUG 9654: the pwdLastSet attribute is now correctly handled (this previously
|
|
permitted passwords that next expire).
|
|
|
|
net ads dns unregister
|
|
----------------------
|
|
|
|
It is now possible to remove the DNS entries created with 'net ads register'
|
|
with the matching 'net ads unregister' command.
|
|
|
|
Samba-tool improvements
|
|
------------------------
|
|
|
|
Running samba-tool on the command line should now be a lot snappier. The tool
|
|
now only loads the code specific to the subcommand that you wish to run.
|
|
|
|
SMB 2.1 Leases enabled by default
|
|
---------------------------------
|
|
|
|
Leasing is an SMB 2.1 (and higher) feature which allows clients to
|
|
aggressively cache files locally above and beyond the caching allowed
|
|
by SMB 1 oplocks. This feature was disabled in previous releases, but
|
|
the SMB2 leasing code is now considered mature and stable enough to be
|
|
enabled by default.
|
|
|
|
Open File Description (OFD) Locks
|
|
---------------------------------
|
|
|
|
On systems that support them (currently only Linux), the fileserver now
|
|
uses Open File Description (OFD) locks instead of POSIX locks to implement
|
|
client byte range locks. As these locks are associated with a specific
|
|
file descriptor on a file this allows more efficient use when multiple
|
|
descriptors having file locks are opened onto the same file. An internal
|
|
tunable "smbd:force process locks = true" may be used to turn off OFD
|
|
locks if there appear to be problems with them.
|
|
|
|
Password sync as active directory domain controller
|
|
---------------------------------------------------
|
|
|
|
The new commands 'samba-tool user getpassword'
|
|
and 'samba-tool user syncpasswords' provide
|
|
access and syncing of various password fields.
|
|
|
|
If compiled with GPGME support (--with-gpgme) it's
|
|
possible to store cleartext passwords in a PGP/OpenGPG
|
|
encrypted form by configuring the new "password hash gpg key ids"
|
|
option. This requires gpgme devel and python packages to be installed
|
|
(e.g. libgpgme11-dev and python-gpgme on debian/ubuntu).
|
|
|
|
Python crypto requirements
|
|
--------------------------
|
|
|
|
Some samba-tool subcommands require python-crypto and/or
|
|
python-m2crypto packages to be installed.
|
|
|
|
SmartCard/PKINIT improvements
|
|
-----------------------------
|
|
|
|
"samba-tool user create" accepts --smartcard-required
|
|
and "samba-tool user setpassword" accepts --smartcard-required
|
|
and --clear-smartcard-required.
|
|
|
|
Specifying --smartcard-required results in the UF_SMARTCARD_REQUIRED
|
|
flags being set in the userAccountControl attribute.
|
|
At the same time the account password is reset to a random
|
|
NTHASH value.
|
|
|
|
Interactive password logons are rejected, if the UF_SMARTCARD_REQUIRED
|
|
bit is set in the userAccountControl attribute of a user.
|
|
|
|
When doing a PKINIT based kerberos logon the KDC adds the
|
|
required PAC_CREDENTIAL_INFO element to the authorization data.
|
|
That means the NTHASH is shared between the PKINIT based client and
|
|
the domain controller, which allows the client to do NTLM based
|
|
authentication on behalf of the user. It also allows on offline
|
|
logon using a smartcard to work on Windows clients.
|
|
|
|
CTDB changes
|
|
------------
|
|
|
|
* New improved ctdb tool
|
|
|
|
ctdb tool has been completely rewritten using new client API.
|
|
Usage messages are much improved.
|
|
|
|
* Sample CTDB configuration file is installed as ctdbd.conf.
|
|
|
|
* The use of real-time scheduling when taking locks has been narrowed
|
|
to limit potential performance impacts on nodes
|
|
|
|
* CTDB_RECOVERY_LOCK now supports specification of an external helper
|
|
to take and hold the recovery lock
|
|
|
|
See the RECOVERY LOCK section in ctdb(7) for details. Documentation
|
|
for writing helpers is provided in doc/cluster_mutex_helper.txt.
|
|
|
|
* "ctdb natgwlist" has been replaced by a top level "ctdb natgw"
|
|
command that has "master", "list" and "status" subcommands
|
|
|
|
* The onnode command no longer supports the "recmaster", "lvs" and
|
|
"natgw" node specifications
|
|
|
|
* Faster resetting of TCP connections to public IP addresses during
|
|
failover
|
|
|
|
* Tunables MaxRedirectCount, ReclockPingPeriod,
|
|
DeferredRebalanceOnNodeAdd are now obsolete/ignored
|
|
|
|
* "ctdb listvars" now lists all variables, including the first one
|
|
|
|
* "ctdb xpnn", "ctdb rebalanceip" and "ctdb rebalancenode" have been
|
|
removed
|
|
|
|
These are not needed because "ctdb reloadips" should do the correct
|
|
rebalancing.
|
|
|
|
* Output for the following commands has been simplified:
|
|
|
|
ctdb getdbseqnum
|
|
ctdb getdebug
|
|
ctdb getmonmode
|
|
ctdb getpid
|
|
ctdb getreclock
|
|
ctdb getpid
|
|
ctdb pnn
|
|
|
|
These now simply print the requested output with no preamble. This
|
|
means that scripts no longer need to strip part of the output.
|
|
|
|
"ctdb getreclock" now prints nothing when the recovery lock is not
|
|
set.
|
|
|
|
* Output for the following commands has been improved:
|
|
|
|
ctdb setdebug
|
|
ctdb uptime
|
|
|
|
* "ctdb process-exists" has been updated to only take a PID argument
|
|
|
|
The PNN can be specified with -n <PNN>. Output also cleaned up.
|
|
|
|
* LVS support has been reworked - related commands and configuration
|
|
variables have changed
|
|
|
|
"ctdb lvsmaster" and "ctdb lvs" have been replaced by a top level
|
|
"ctdb lvs" command that has "master", "list" and "status"
|
|
subcommands.
|
|
|
|
See the LVS sections in ctdb(7) and ctdbd.conf(5) for details,
|
|
including configuration changes.
|
|
|
|
* Improved sample NFS Ganesha call-out
|
|
|
|
New shadow_copy2 options
|
|
------------------------
|
|
|
|
shadow:snapprefix
|
|
|
|
With growing number of snapshots file-systems need some mechanism to
|
|
differentiate one set of snapshots from other, e.g. monthly, weekly, manual,
|
|
special events, etc. Therefore these file-systems provide different ways to tag
|
|
snapshots, e.g. provide a configurable way to name snapshots, which is not just
|
|
based on time. With only shadow:format it is very difficult to filter these
|
|
snapshots. With this optional parameter, one can specify a variable prefix
|
|
component for names of the snapshot directories in the file-system. If this
|
|
parameter is set, together with the shadow:format and shadow:delimiter
|
|
parameters it determines the possible names of snapshot directories in the
|
|
file-system. The option only supports Basic Regular Expression (BRE).
|
|
|
|
shadow:delimiter
|
|
|
|
This optional parameter is used as a delimiter between shadow:snapprefix and
|
|
shadow:format This parameter is used only when shadow:snapprefix is set.
|
|
|
|
Default: shadow:delimiter = "_GMT"
|
|
|
|
|
|
REMOVED FEATURES
|
|
================
|
|
|
|
only user and username parameters
|
|
---------------------------------
|
|
These two parameters have long been deprecated and superseded by
|
|
"valid users" and "invalid users".
|
|
|
|
|
|
smb.conf changes
|
|
================
|
|
|
|
Parameter Name Description Default
|
|
-------------- ----------- -------
|
|
kccsrv:samba_kcc Changed default yes
|
|
ntlm auth Changed default no
|
|
only user Removed
|
|
password hash gpg key ids New
|
|
shadow:snapprefix New
|
|
shadow:delimiter New _GMT
|
|
smb2 leases Changed default yes
|
|
username Removed
|
|
|
|
|
|
KNOWN ISSUES
|
|
============
|
|
|
|
Currently none.
|
|
|
|
#######################################
|
|
Reporting bugs & Development Discussion
|
|
#######################################
|
|
|
|
Please discuss this release on the samba-technical mailing list or by
|
|
joining the #samba-technical IRC channel on irc.freenode.net.
|
|
|
|
If you do report problems then please try to send high quality
|
|
feedback. If you don't provide vital information to help us track down
|
|
the problem then you will probably be ignored. All bug reports should
|
|
be filed under the Samba 4.1 and newer product in the project's Bugzilla
|
|
database (https://bugzilla.samba.org/).
|
|
|
|
|
|
======================================================================
|
|
== Our Code, Our Bugs, Our Responsibility.
|
|
== The Samba Team
|
|
======================================================================
|
|
|