mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
b039ef4224
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
198 lines
7.7 KiB
Plaintext
198 lines
7.7 KiB
Plaintext
Release Announcements
|
|
=====================
|
|
|
|
This is the first preview release of Samba 4.7. This is *not*
|
|
intended for production environments and is designed for testing
|
|
purposes only. Please report any defects via the Samba bug reporting
|
|
system at https://bugzilla.samba.org/.
|
|
|
|
Samba 4.7 will be the next version of the Samba suite.
|
|
|
|
|
|
UPGRADING
|
|
=========
|
|
|
|
smbclient changes
|
|
-----------------
|
|
|
|
smbclient no longer prints a 'Domain=[...] OS=[Windows 6.1] Server=[...]'
|
|
banner when connecting to the first server. With SMB2 and Kerberos
|
|
there's no way to print this information reliable. Now we avoid it at all
|
|
consistently. In interactive session the following banner is now presented
|
|
to the user: 'Try "help" do get a list of possible commands.'.
|
|
|
|
The default for "client max protocol" has changed to "SMB3_11",
|
|
which means that smbclient (and related commands) will work against
|
|
servers without SMB1 support.
|
|
|
|
It's possible to use the '-m/--max-protocol' option to overwrite
|
|
the "client max protocol" option temporary.
|
|
|
|
Note that the '-e/--encrypt' option also works with most SMB3 servers
|
|
(e.g. Windows >= 2012 and Samba >= 4.0.0), so the SMB1 unix extensions
|
|
are not required for encryption.
|
|
|
|
The change to SMB3_11 as default also means smbclient no longer
|
|
negotiates SMB1 unix extensions by default, when talking to a Samba server with
|
|
"unix extensions = yes". As a result some commands are not available, e.g.
|
|
posix_encrypt, posix_open, posix_mkdir, posix_rmdir, posix_unlink, posix_whoami,
|
|
getfacl and symlink. Using "-mNT1" reenabled them, if the server supports SMB1.
|
|
|
|
Note the default ("CORE") for "client min protocol" hasn't changed,
|
|
so it's still possible to connect to SMB1-only servers by default.
|
|
|
|
|
|
NEW FEATURES/CHANGES
|
|
====================
|
|
|
|
Samba AD with MIT Kerberos
|
|
--------------------------
|
|
|
|
After four years of development, Samba finally supports compiling and
|
|
running Samba AD with MIT Kerberos. You can enable it with:
|
|
|
|
./configure --with-system-mitkrb5
|
|
|
|
Samba requires version 1.15.1 of MIT Kerberos to build with AD DC support.
|
|
The krb5-devel and krb5-server packages are required.
|
|
The feature set is not on par with with the Heimdal build but the most important
|
|
things, like forest and external trusts, are working. Samba uses the KDC binary
|
|
provided by MIT Kerberos.
|
|
|
|
Missing features, compared to Heimdal, are:
|
|
* PKINIT support
|
|
* S4U2SELF/S4U2PROXY support
|
|
* RODC support (not fully working with Heimdal either)
|
|
|
|
The Samba AD process will take care of starting the MIT KDC and it will load a
|
|
KDB (Kerberos Database) driver to access the Samba AD database. When
|
|
provisioning an AD DC using 'samba-tool' it will take care of creating a correct
|
|
kdc.conf file for the MIT KDC. Note that 'samba-tool' will overwrite the system
|
|
kdc.conf by default. It is possible to use a different location during
|
|
provision. You should consult the 'samba-tool' help and smb.conf manpage for
|
|
details.
|
|
|
|
Dynamic RPC port range
|
|
----------------------
|
|
|
|
The dynamic port range for RPC services has been changed from the old default
|
|
value 1024-1300 to 49152-65535. This port range is not only used by a
|
|
Samba AD DC but also applies to all other server roles including NT4-style
|
|
domain controllers. The new value has been defined by Microsoft in Windows
|
|
Server 2008 and newer versions. To make it easier for Administrators to control
|
|
those port ranges we use the same default and make it configurable with the
|
|
option: 'rpc server dynamic port range'.
|
|
|
|
The 'rpc server port' option sets the first available port from the new
|
|
'rpc server dynamic port range' option. The option 'rpc server port' only
|
|
applies to Samba provisioned as an AD DC.
|
|
|
|
Authentication and Authorization audit support
|
|
----------------------------------------------
|
|
|
|
Detailed authentication and authorization audit information is now
|
|
logged to Samba's debug logs under the "auth_audit" debug class,
|
|
including in particular the client IP address triggering the audit
|
|
line. Additionally, if Samba is compiled against the jansson JSON
|
|
library, a JSON representation is logged under the "auth_json_audit"
|
|
debug class.
|
|
|
|
Audit support is comprehensive for all authentication and
|
|
authorisation of user accounts in the Samba Active Directory Domain
|
|
Controller, as well as the implicit authentication in password
|
|
changes. In the file server and classic/NT4 domain controller, NTLM
|
|
authentication, SMB and RPC authorization is covered, however password
|
|
changes are not at this stage, and this support is not currently
|
|
backed by a testsuite.
|
|
|
|
Query record for open file or directory
|
|
---------------------------------------
|
|
|
|
The record attached to an open file or directory in Samba can be
|
|
queried through the 'net tdb locking' command. In clustered Samba this
|
|
can be useful to determine the file or directory triggering
|
|
corresponding "hot" record warnings in ctdb.
|
|
|
|
Removal of lpcfg_register_defaults_hook()
|
|
-----------------------------------------
|
|
|
|
The undocumented and unsupported function lpcfg_register_defaults_hook()
|
|
that was used by external projects to call into Samba and modify
|
|
smb.conf default parameter settings has been removed. If your project
|
|
was using this call please raise the issue on
|
|
samba-technical@lists.samba.org in order to design a supported
|
|
way of obtaining the same functionality.
|
|
|
|
Change of loadable module interface
|
|
-----------------------------------
|
|
|
|
The _init function of all loadable modules in Samba has changed
|
|
from:
|
|
|
|
NTSTATUS _init(void);
|
|
|
|
to:
|
|
|
|
NTSTATUS _init(TALLOC_CTX *);
|
|
|
|
This allows a program loading a module to pass in a long-lived
|
|
talloc context (which must be guaranteed to be alive for the
|
|
lifetime of the module). This allows modules to avoid use of
|
|
the talloc_autofree_context() (which is inherently thread-unsafe)
|
|
and still be valgrind-clean on exit. Modules that don't need to
|
|
free long-lived data on exist should use the NULL talloc context.
|
|
|
|
Parameter changes
|
|
-----------------
|
|
|
|
The "strict sync" global parameter has been changed from
|
|
a default of "no" to "yes". This means smbd will by default
|
|
obey client requests to synchronize unwritten data in operating
|
|
system buffers safely onto disk. This is a safer default setting
|
|
for modern SMB1/2/3 clients.
|
|
|
|
smb.conf changes
|
|
================
|
|
|
|
Parameter Name Description Default
|
|
-------------- ----------- -------
|
|
allow unsafe cluster upgrade New parameter no
|
|
auth event notification New parameter no
|
|
auth methods Deprecated
|
|
client max protocol Effective SMB3_11
|
|
default changed
|
|
map untrusted to domain New value/ auto
|
|
Default changed/
|
|
Deprecated
|
|
mit kdc command New parameter
|
|
profile acls Deprecated
|
|
rpc server dynamic port range New parameter 49152-65535
|
|
strict sync Default changed yes
|
|
|
|
|
|
KNOWN ISSUES
|
|
============
|
|
|
|
https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.7#Release_blocking_bugs
|
|
|
|
|
|
#######################################
|
|
Reporting bugs & Development Discussion
|
|
#######################################
|
|
|
|
Please discuss this release on the samba-technical mailing list or by
|
|
joining the #samba-technical IRC channel on irc.freenode.net.
|
|
|
|
If you do report problems then please try to send high quality
|
|
feedback. If you don't provide vital information to help us track down
|
|
the problem then you will probably be ignored. All bug reports should
|
|
be filed under the Samba 4.1 and newer product in the project's Bugzilla
|
|
database (https://bugzilla.samba.org/).
|
|
|
|
|
|
======================================================================
|
|
== Our Code, Our Bugs, Our Responsibility.
|
|
== The Samba Team
|
|
======================================================================
|
|
|