mirror of
https://github.com/samba-team/samba.git
synced 2025-03-01 04:58:35 +03:00
361 lines
12 KiB
Plaintext
361 lines
12 KiB
Plaintext
Release Announcements
|
|
=====================
|
|
|
|
This is the fourth release candidate of Samba 4.3. This is *not*
|
|
intended for production environments and is designed for testing
|
|
purposes only. Please report any defects via the Samba bug reporting
|
|
system at https://bugzilla.samba.org/.
|
|
|
|
Samba 4.3 will be the next version of the Samba suite.
|
|
|
|
|
|
UPGRADING
|
|
=========
|
|
|
|
Nothing special.
|
|
|
|
|
|
NEW FEATURES
|
|
============
|
|
|
|
Logging
|
|
-------
|
|
|
|
The logging code now supports logging to multiple backends. In
|
|
addition to the previously available syslog and file backends, the
|
|
backends for logging to the systemd-journal, lttng and gpfs have been
|
|
added. Please consult the section for the 'logging' parameter in the
|
|
smb.conf manpage for details.
|
|
|
|
Spotlight
|
|
---------
|
|
|
|
Support for Apple's Spotlight has been added by integrating with Gnome
|
|
Tracker.
|
|
|
|
For detailed instructions how to build and setup Samba for Spotlight,
|
|
please see the Samba wiki: <https://wiki.samba.org/index.php/Spotlight>
|
|
|
|
New FileChangeNotify subsystem
|
|
------------------------------
|
|
|
|
Samba now contains a new subsystem to do FileChangeNotify. The
|
|
previous system used a central database, notify_index.tdb, to store
|
|
all notification requests. In particular in a cluster this turned out
|
|
to be a major bottleneck, because some hot records need to be bounced
|
|
back and forth between nodes on every change event like a new created
|
|
file.
|
|
|
|
The new FileChangeNotify subsystem works with a central daemon per
|
|
node. Every FileChangeNotify request and every event are handled by an
|
|
asynchronous message from smbd to the notify daemon. The notify daemon
|
|
maintains a database of all FileChangeNotify requests in memory and
|
|
will distribute the notify events accordingly. This database is
|
|
asynchronously distributed in the cluster by the notify daemons.
|
|
|
|
The notify daemon is supposed to scale a lot better than the previous
|
|
implementation. The functional advantage is cross-node kernel change
|
|
notify: Files created via NFS will be seen by SMB clients on other
|
|
nodes per FileChangeNotify, despite the fact that popular cluster file
|
|
systems do not offer cross-node inotify.
|
|
|
|
Two changes to the configuration were required for this new subsystem:
|
|
The parameters "change notify" and "kernel change notify" are not
|
|
per-share anymore but must be set globally. So it is no longer
|
|
possible to enable or disable notify per share, the notify daemon has
|
|
no notion of a share, it only works on absolute paths.
|
|
|
|
New SMB profiling code
|
|
----------------------
|
|
|
|
The code for SMB (SMB1, SMB2 and SMB3) profiling uses a tdb instead
|
|
of sysv IPC shared memory. This avoids performance problems and NUMA
|
|
effects. The profile stats are a bit more detailed than before.
|
|
|
|
Improved DCERPC man in the middle detection for kerberos
|
|
--------------------------------------------------------
|
|
|
|
The gssapi based kerberos backends for gensec have support for
|
|
DCERPC header signing when using DCERPC_AUTH_LEVEL_PRIVACY.
|
|
|
|
SMB signing required in winbindd by default
|
|
-------------------------------------------
|
|
|
|
The effective value for "client signing" is required
|
|
by default for winbindd, if the primary domain uses active directory.
|
|
|
|
Experimental NTDB was removed
|
|
-----------------------------
|
|
|
|
The experimental NTDB library introduced in Samba 4.0 has been
|
|
removed again.
|
|
|
|
Improved support for trusted domains (as AD DC)
|
|
-----------------------------------------------
|
|
|
|
The support for trusted domains/forests has improved a lot.
|
|
|
|
samba-tool got "domain trust" subcommands to manage trusts:
|
|
|
|
create - Create a domain or forest trust.
|
|
delete - Delete a domain trust.
|
|
list - List domain trusts.
|
|
namespaces - Manage forest trust namespaces.
|
|
show - Show trusted domain details.
|
|
validate - Validate a domain trust.
|
|
|
|
External trusts between individual domains work in both ways
|
|
(inbound and outbound). The same applies to root domains of
|
|
a forest trust. The transitive routing into the other forest
|
|
is fully functional for kerberos, but not yet supported for NTLMSSP.
|
|
|
|
While a lot of things are working fine, there are currently a few limitations:
|
|
|
|
- Both sides of the trust need to fully trust each other!
|
|
- No SID filtering rules are applied at all!
|
|
- This means DCs of domain A can grant domain admin rights
|
|
in domain B.
|
|
- It's not possible to add users/groups of a trusted domain
|
|
into domain groups.
|
|
|
|
SMB 3.1.1 supported
|
|
-------------------
|
|
|
|
Both client and server have support for SMB 3.1.1 now.
|
|
|
|
This is the dialect introduced with Windows 10, it improves the secure
|
|
negotiation of SMB dialects and features.
|
|
|
|
There's also a new optinal encryption algorithm aes-gcm-128,
|
|
but for now this is only selected as fallback and aes-ccm-128
|
|
is preferred because of the better performance. This might change
|
|
in future versions when hardware encryption will be supported.
|
|
See https://bugzilla.samba.org/show_bug.cgi?id=11451.
|
|
|
|
New smbclient subcommands
|
|
-------------------------
|
|
|
|
- Query a directory for change notifications: notify <dir name>
|
|
- Server side copy: scopy <source filename> <destination filename>
|
|
|
|
New rpcclient subcommands
|
|
-------------------------
|
|
|
|
netshareenumall - Enumerate all shares
|
|
netsharegetinfo - Get Share Info
|
|
netsharesetinfo - Set Share Info
|
|
netsharesetdfsflags - Set DFS flags
|
|
netfileenum - Enumerate open files
|
|
netnamevalidate - Validate sharename
|
|
netfilegetsec - Get File security
|
|
netsessdel - Delete Session
|
|
netsessenum - Enumerate Sessions
|
|
netdiskenum - Enumerate Disks
|
|
netconnenum - Enumerate Connections
|
|
netshareadd - Add share
|
|
netsharedel - Delete share
|
|
|
|
New modules
|
|
-----------
|
|
|
|
idmap_script - see 'man 8 idmap_script'
|
|
vfs_unityed_media - see 'man 8 vfs_unityed_media'
|
|
vfs_shell_snap - see 'man 8 vfs_shell_snap'
|
|
|
|
New sparsely connected replia graph (Improved KCC)
|
|
--------------------------------------------------
|
|
|
|
The Knowledge Consistency Checker (KCC) maintains a replication graph
|
|
for DCs across an AD network. The existing Samba KCC uses a fully
|
|
connected graph, so that each DC replicates from all the others, which
|
|
does not scale well with large networks. In 4.3 there is an
|
|
experimental new KCC that creates a sparsely connected replication
|
|
graph and closely follows Microsoft's specification. It is turned off
|
|
by default. To use the new KCC, set "kccsrv:samba_kcc=true" in
|
|
smb.conf and let us know how it goes. You should consider doing this
|
|
if you are making a large new network. For small networks there is
|
|
little benefit and you can always switch over at a later date.
|
|
|
|
Configurable TLS protocol support, with better defaults
|
|
-------------------------------------------------------
|
|
|
|
The "tls priority" option can be used to change the supported TLS
|
|
protocols. The default is to disable SSLv3, which is no longer
|
|
considered secure.
|
|
|
|
Samba-tool now supports all 7 FSMO roles
|
|
-------------------------------------------------------
|
|
|
|
Previously "samba-tool fsmo" could only show, transfer or seize the
|
|
five well-known FSMO roles:
|
|
|
|
Schema Master
|
|
Domain Naming Master
|
|
RID Master
|
|
PDC Emulator
|
|
Infrastructure Master
|
|
|
|
It can now also show, transfer or seize the DNS infrastructure roles:
|
|
|
|
DomainDnsZones Infrastructure Master
|
|
ForestDnsZones Infrastructure Master
|
|
|
|
CTDB logging changes
|
|
--------------------
|
|
|
|
The destination for CTDB logging is now set via a single new
|
|
configuration variable CTDB_LOGGING. This replaces CTDB_LOGFILE and
|
|
CTDB_SYSLOG, which have both been removed. See ctdbd.conf(5) for
|
|
details of CTDB_LOGGING.
|
|
|
|
CTDB no longer runs a separate logging daemon.
|
|
|
|
CTDB NFS support changes
|
|
------------------------
|
|
|
|
CTDB's NFS service management has been combined into a single 60.nfs
|
|
event script. This updated 60.nfs script now uses a call-out to
|
|
interact with different NFS implementations. See the CTDB_NFS_CALLOUT
|
|
option in the ctdbd.conf(5) manual page for details. A default
|
|
call-out is provided to interact with the Linux kernel NFS
|
|
implementation. The 60.ganesha event script has been removed - a
|
|
sample call-out is provided for NFS Ganesha, based on this script.
|
|
|
|
The method of configuring NFS RPC checks has been improved. See
|
|
ctdb/config/nfs-checks.d/README for details.
|
|
|
|
Improved Cross-Compiling Support
|
|
--------------------------------
|
|
|
|
A new "hybrid" build configuration mode is added to improve
|
|
cross-compilation support.
|
|
|
|
A common challenge in cross-compilation is that of obtaining the results
|
|
of tests that have to run on the target, during the configuration
|
|
phase of the build. The Samba build system already supports the following
|
|
means to do so:
|
|
|
|
- Executing configure tests using the --cross-execute parameter
|
|
- Obtaining the results from an answers file using the --cross-answers
|
|
parameter
|
|
|
|
The first method has the drawback of inaccurate results if the tests are
|
|
run using an emulator, or a need to be connected to a running target
|
|
while building, if the tests are to be run on an actual target. The
|
|
second method presents a challenge of figuring out the test results.
|
|
|
|
The new hybrid mode runs the tests and records the result in an answer file.
|
|
To activate this mode, use both --cross-execute and --cross-answers in the
|
|
same configure invocation. This mode can be activated once against a
|
|
running target, and then the generated answers file can be used in
|
|
subsequent builds.
|
|
|
|
Also supplied is an example script that can be used as the
|
|
cross-execute program. This script copies the test to a running target
|
|
and runs the test on the target, obtaining the result. The obtained
|
|
results are more accurate than running the test with an emulator, because
|
|
they reflect the exact kernel and system libraries that exist on the
|
|
target.
|
|
|
|
|
|
######################################################################
|
|
Changes
|
|
#######
|
|
|
|
smb.conf changes
|
|
----------------
|
|
|
|
Parameter Name Description Default
|
|
-------------- ----------- -------
|
|
logging New (empty)
|
|
msdfs shuffle referrals New no
|
|
smbd profiling level New off
|
|
spotlight New no
|
|
tls priority New NORMAL:-VERS-SSL3.0
|
|
use ntdb Removed
|
|
change notify Changed to [global]
|
|
kernel change notify Changed to [global]
|
|
client max protocol Changed default SMB3_11
|
|
server max protocol Changed default SMB3_11
|
|
|
|
Removed modules
|
|
---------------
|
|
|
|
vfs_notify_fam - see section 'New FileChangeNotify subsystem'.
|
|
|
|
|
|
KNOWN ISSUES
|
|
============
|
|
|
|
Currently none.
|
|
|
|
|
|
CHANGES SINCE 4.2.0rc3
|
|
======================
|
|
|
|
|
|
CHANGES SINCE 4.3.0rc2
|
|
======================
|
|
|
|
o Andrew Bartlett <abartlet@samba.org>
|
|
* Bug 11436: samba-tool uncaught exception error
|
|
* Bug 10493: revert LDAP extended rule 1.2.840.113556.1.4.1941
|
|
LDAP_MATCHING_RULE_IN_CHAIN changes
|
|
|
|
o Ralph Boehme <slow@samba.org>
|
|
* Bug 11278: Stream names with colon don't work with
|
|
fruit:encoding = native
|
|
* Bug 11426: net share allowedusers crashes
|
|
|
|
o Amitay Isaacs <amitay@gmail.com>
|
|
* Bug 11432: Fix crash in nested ctdb banning
|
|
* Bug 11434: Cannot build ctdbpmda
|
|
* Bug 11431: CTDB's eventscript error handling is broken
|
|
|
|
o Stefan Metzmacher <metze@samba.org>
|
|
* Bug 11451: Poor SMB3 encryption performance with AES-GCM (part1)
|
|
* Bug 11316: tevent_fd needs to be destroyed before closing the fd
|
|
|
|
o Arvid Requate <requate@univention.de>
|
|
* Bug 11291: NetApp joined to a Samba/ADDC cannot resolve SIDs
|
|
|
|
o Martin Schwenke <martin@meltin.net>
|
|
* Bug 11432: Fix crash in nested ctdb banning
|
|
|
|
|
|
CHANGES SINCE 4.3.0rc1
|
|
======================
|
|
|
|
o Jeremy Allison <jra@samba.org>
|
|
* BUG 11359: strsep is not available on Solaris
|
|
|
|
o Björn Baumbach <bb@sernet.de>
|
|
* BUG 11421: Build with GPFS support is broken
|
|
|
|
o Justin Maggard <jmaggard@netgear.com>
|
|
* BUG 11320: "force group" with local group not working
|
|
|
|
o Martin Schwenke <martin@meltin.net
|
|
* BUG 11424: Build broken with --disable-python
|
|
|
|
|
|
#######################################
|
|
Reporting bugs & Development Discussion
|
|
#######################################
|
|
|
|
Please discuss this release on the samba-technical mailing list or by
|
|
joining the #samba-technical IRC channel on irc.freenode.net.
|
|
|
|
If you do report problems then please try to send high quality
|
|
feedback. If you don't provide vital information to help us track down
|
|
the problem then you will probably be ignored. All bug reports should
|
|
be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
|
|
database (https://bugzilla.samba.org/).
|
|
|
|
|
|
======================================================================
|
|
== Our Code, Our Bugs, Our Responsibility.
|
|
== The Samba Team
|
|
======================================================================
|
|
|