The branch, master has been updated
via 3d12b42 NEWS[4.5.0]: Samba 4.5.0 Available for Download
from b6efe01 Add "Release Planning" to the releases box
https://git.samba.org/?p=samba-web.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 3d12b42878ea6dbc8c615fc11bdaf0b273410437
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Sep 7 16:58:49 2016 +0200
NEWS[4.5.0]: Samba 4.5.0 Available for Download
Signed-off-by: Stefan Metzmacher <me...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
history/samba-4.5.0.html | 504 ++++++++++++++++++++++++
posted_news/20160907-150254.4.5.0.body.html | 12 +
posted_news/20160907-150254.4.5.0.headline.html | 3 +
3 files changed, 519 insertions(+)
create mode 100644 history/samba-4.5.0.html
create mode 100644 posted_news/20160907-150254.4.5.0.body.html
create mode 100644 posted_news/20160907-150254.4.5.0.headline.html
Changeset truncated at 500 lines:
diff --git a/history/samba-4.5.0.html b/history/samba-4.5.0.html
new file mode 100644
index 0000000..78920a1
--- /dev/null
+++ b/history/samba-4.5.0.html
@@ -0,0 +1,504 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
+<html xmlns="http://www.w3.org/1999/xhtml";>
+<head>
+<title>Samba 4.5.0 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.5.0 Available for Download</H2>
+<p>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.5.0.tar.gz";>Samba
4.5.0 (gzipped)</a><br>
+<a
href="https://download.samba.org/pub/samba/stable/samba-4.5.0.tar.asc";>Signature</a>
+</p>
+<p>
+<pre>
+ =============================
+ Release Notes for Samba 4.5.0
+ September 7, 2016
+ =============================
+
+
+This is the first stable release of the Samba 4.5 release series.
+
+
+UPGRADING
+=========
+
+NTLMv1 authentication disabled by default
+-----------------------------------------
+
+In order to improve security we have changed
+the default value for the "ntlm auth" option from
+"yes" to "no". This may have impact on very old
+clients which doesn't support NTLMv2 yet.
+
+The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.
+
+By default, Samba will only allow NTLMv2 via NTLMSSP now,
+as we have the following default "lanman auth = no",
+"ntlm auth = no" and "raw NTLMv2 auth = no".
+
+
+NEW FEATURES/CHANGES
+====================
+
+Support for LDAP_SERVER_NOTIFICATION_OID
+----------------------------------------
+
+The ldap server has support for the LDAP_SERVER_NOTIFICATION_OID
+control. This can be used to monitor the Active Directory database
+for changes.
+
+KCC improvements for sparse network replication
+-----------------------------------------------
+
+The Samba KCC will now be the default knowledge consistency checker in
+Samba AD. Instead of using full mesh replication between every DC, the
+KCC will set up connections to optimize replication latency and cost
+(using site links to calculate the routes). This change should allow
+larger domains to function significantly better in terms of replication
+traffic and the time spent performing DRS replication.
+
+VLV - Virtual List View
+-----------------------
+
+The VLV Control allows applications to page the LDAP directory in the
+way you might expect a live phone book application to operate, without
+first downloading the entire directory.
+
+DRS Replication for the AD DC
+-----------------------------
+
+DRS Replication in Samba 4.5 is now much more efficient in handling
+linked attributes, particularly in large domains with over 1000 group
+memberships or other links.
+
+Replication is also much more reliable in the handling of tree
+renames, such as the rename of an organizational unit containing many
+users. Extensive tests have been added to ensure this code remains
+reliable, particularly in the case of conflicts between objects added
+with the same name on different servers.
+
+Schema updates are also handled much more reliably.
+
+samba-tool drs replicate with new options
+-----------------------------------------
+
+'samba-tool drs replicate' got two new options:
+
+The option '--local-online' will do the DsReplicaSync() via IRPC
+to the local dreplsrv service.
+
+The option '--async-op' will add DRSUAPI_DRS_ASYNC_OP to the
+DsReplicaSync(), which won't wait for the replication result.
+
+replPropertyMetaData Changes
+----------------------------
+
+During the development of the DRS replication, tests showed that Samba
+stores the replPropertyMetaData object incorrectly. To address this,
+be aware that 'dbcheck' will now detect and offer to fix all objects
in
+the domain for this error.
+
+For further information and instructions how to fix the problem, see
+https://wiki.samba.org/index.php/Updating_Samba#Fixing_replPropertyMetaData_Attributes
+
+Linked attributes on deleted objects
+------------------------------------
+
+In Active Directory, an object that has been tombstoned or recycled
+has no linked attributes. However, Samba incorrectly maintained such
+links, slowing replication and run-time performance. 'dbcheck' now
+offers to remove such links, and they are no longer kept after the
+object is tombstoned or recycled.
+
+Improved AD DC performance
+--------------------------
+
+Many other improvements have been made to our LDAP database layer in
+the AD DC, to improve performance, both during 'samba-tool domain
+provision' and at runtime.
+
+Other dbcheck improvements
+--------------------------
+
+ - 'samba-tool dbcheck' can now find and fix a missing or corrupted
+ 'deleted objects' container.
+ - BUG 11433: samba-dbcheck no longer offers to resort auxiliary class values
+ in objectClass as these were then re-sorted at the next dbcheck
indefinitely.
+
+Tombstone Reanimation
+---------------------
+
+Samba now supports tombstone reanimation, a feature in the AD DC
+allowing tombstones, that is objects which have been deleted, to be
+restored with the original SID and GUID still in place.
+
+Multiple DNS Forwarders on the AD DC
+------------------------------------
+
+Previously, the Samba internal DNS server supported only one DNS forwarder.
+The "dns forwarder" option has been enhanced and now supports a
space-separated
+list of multiple DNS server IP addresses. As a result, Samba is now able to
+fall back to alternative DNS servers. In case that a DNS query to the first
+server timed out, it is sent to the next DNS server listed in the option.
+
+Password quality plugin support in the AD DC
+--------------------------------------------
+
+The check password script now operates correctly in the AD DC.
+
+pwdLastSet is now correctly honoured
+------------------------------------
+
+BUG 9654: The pwdLastSet attribute is now correctly handled (this previously
+permitted passwords that expire next).
+
+net ads dns unregister
+----------------------
+
+It is now possible to remove the DNS entries created with 'net ads
register'
+with the matching 'net ads unregister' command.
+
+samba-tool improvements
+------------------------
+
+Running 'samba-tool' on the command line should now be a lot
snappier. The tool
+now only loads the code specific to the subcommand that you wish to run.
+
+SMB 2.1 Leases enabled by default
+---------------------------------
+
+Leasing is an SMB 2.1 (and higher) feature which allows clients to
+aggressively cache files locally above and beyond the caching allowed
+by SMB 1 oplocks. This feature was disabled in previous releases, but
+the SMB2 leasing code is now considered mature and stable enough to be
+enabled by default.
+
+Open File Description (OFD) Locks
+---------------------------------
+
+On systems that support them (currently only Linux), the fileserver now
+uses Open File Description (OFD) locks instead of POSIX locks to implement
+client byte range locks. As these locks are associated with a specific
+file descriptor on a file this allows more efficient use when multiple
+descriptors having file locks are opened onto the same file. An internal
+tunable "smbd:force process locks = true" may be used to turn off OFD
+locks if there appear to be problems with them.
+
+Password sync as Active Directory domain controller
+---------------------------------------------------
+
+The new commands 'samba-tool user getpassword'
+and 'samba-tool user syncpasswords' provide
+access and syncing of various password fields.
+
+If compiled with GPGME support (--with-gpgme) it's
+possible to store cleartext passwords in a PGP/OpenGPG
+encrypted form by configuring the new "password hash gpg key ids"
+option. This requires gpgme devel and python packages to be installed
+(e.g. libgpgme11-dev and python-gpgme on Debian/Ubuntu).
+
+Python crypto requirements
+--------------------------
+
+Some 'samba-tool' subcommands require python-crypto and/or
+python-m2crypto packages to be installed.
+
+SmartCard/PKINIT improvements
+-----------------------------
+
+'samba-tool user create' accepts "--smartcard-required"
+and 'samba-tool user setpassword' accepts
"--smartcard-required"
+and "--clear-smartcard-required".
+
+Specifying "--smartcard-required" results in the
UF_SMARTCARD_REQUIRED
+flags being set in the userAccountControl attribute.
+At the same time, the account password is reset to a random
+NTHASH value.
+
+Interactive password logons are rejected, if the UF_SMARTCARD_REQUIRED
+bit is set in the userAccountControl attribute of a user.
+
+When doing a PKINIT based Kerberos logon the KDC adds the
+required PAC_CREDENTIAL_INFO element to the authorization data.
+That means the NTHASH is shared between the PKINIT based client and
+the domain controller, which allows the client to do NTLM based
+authentication on behalf of the user. It also allows an offline
+logon using a smartcard to work on Windows clients.
+
+CTDB changes
+------------
+
+* New improved 'ctdb tool'
+
+ 'ctdb tool' has been completely rewritten using new client API.
+ Usage messages are much improved.
+
+* Sample CTDB configuration file is installed as ctdbd.conf.
+
+* The use of real-time scheduling when taking locks has been narrowed
+ to limit potential performance impacts on nodes.
+
+* CTDB_RECOVERY_LOCK now supports specification of an external helper
+ to take and hold the recovery lock.
+
+ See the RECOVERY LOCK section in ctdb(7) for details. Documentation
+ for writing helpers is provided in doc/cluster_mutex_helper.txt.
+
+* "ctdb natgwlist" has been replaced by a top level "ctdb
natgw"
+ command that has "master", "list" and "status"
subcommands.
+
+* The 'onnode' command no longer supports the "recmaster",
"lvs" and
+ "natgw" node specifications.
+
+* Faster resetting of TCP connections to public IP addresses during
+ failover.
+
+* Tunables MaxRedirectCount, ReclockPingPeriod,
+ DeferredRebalanceOnNodeAdd are now obsolete/ignored.
+
+* "ctdb listvars" now lists all variables, including the first one.
+
+* "ctdb xpnn", "ctdb rebalanceip" and "ctdb
rebalancenode" have been
+ removed.
+
+ These are not needed because "ctdb reloadips" should do the correct
+ rebalancing.
+
+* Output for the following commands has been simplified:
+
+ ctdb getdbseqnum
+ ctdb getdebug
+ ctdb getmonmode
+ ctdb getpid
+ ctdb getreclock
+ ctdb getpid
+ ctdb pnn
+
+ These now simply print the requested output with no preamble. This
+ means that scripts no longer need to strip part of the output.
+
+ "ctdb getreclock" now prints nothing when the recovery lock is not
+ set.
+
+* Output for the following commands has been improved:
+
+ ctdb setdebug
+ ctdb uptime
+
+* 'ctdb process-exists' has been updated to only take a PID argument.
+
+ The PNN can be specified with -n <PNN>. Output also cleaned up.
+
+* LVS support has been reworked - related commands and configuration
+ variables have changed.
+
+ 'ctdb lvsmaster' and 'ctdb lvs' have been replaced by a
top level
+ 'ctdb lvs' command that has 'master', 'list'
and 'status'
+ subcommands.
+
+ See the LVS sections in ctdb(7) and ctdbd.conf(5) for details,
+ including configuration changes.
+
+* Improved sample NFS Ganesha call-out.
+
+New shadow_copy2 options
+------------------------
+
+* shadow:snapprefix
+
+ With growing number of snapshots file-systems need some mechanism to
+ differentiate one set of snapshots from other, e.g. monthly, weekly, manual,
+ special events, etc. Therefore, these file-systems provide different ways to
tag
+ snapshots, e.g. provide a configurable way to name snapshots, which is not
just
+ based on time. With only shadow:format it is very difficult to filter these
+ snapshots. With this optional parameter, one can specify a variable prefix
+ component for names of the snapshot directories in the file-system. If this
+ parameter is set, together with the shadow:format and shadow:delimiter
+ parameters it determines the possible names of snapshot directories in the
+ file-system. The option only supports Basic Regular Expression (BRE).
+
+* shadow:delimiter
+
+ This optional parameter is used as a delimiter between
"shadow:snapprefix" and
+ "shadow:format". This parameter is used only when
"shadow:snapprefix" is set.
+
+ Default: shadow:delimiter = "_GMT"
+
+
+REMOVED FEATURES
+================
+
+"only user" and "username" parameters
+-------------------------------------
+
+These two parameters have long been deprecated and superseded by
+"valid users" and "invalid users".
+
+
+smb.conf changes
+================
+
+ Parameter Name Description Default
+ -------------- ----------- -------
+ kccsrv:samba_kcc Changed default yes
+ ntlm auth Changed default no
+ only user Removed
+ password hash gpg key ids New
+ shadow:snapprefix New
+ shadow:delimiter New _GMT
+ smb2 leases Changed default yes
+ username Removed
+
+
+KNOWN ISSUES
+============
+
+While a lot of schema replication bugs were fixed in this release
+Bug 12204 - Samba fails to replicate schema 69
+(https://bugzilla.samba.org/show_bug.cgi?id=12204) is still open.
+The replication fails if more than 133 schema objects are added
+at the same time.
+
+More open bugs are listed at:
+https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.5#All_bugs
+
+
+CHANGES SINCE 4.5.0rc3
+======================
+
+o Björn Baumbach <b...@sernet.de>
+ * BUG 12194: idmap_script: fix missing "IDTOSID" argument in
scripts
+ command line.
+
+o Andrew Bartlett <abart...@samba.org>
+ * BUG 12178: samba-tool dbcheck fails to fix replPropertyMetaData.
+
+o Ralph Boehme <s...@samba.org>
+ * BUG 12177: Unexpected synthesized default ACL from vfs_acl_xattr.
+ * BUG 12181: vfs_acl_common not setting filesystem permissions anymore.
+ * BUG 12184: Loading shared RPC modules failed.
+
+o Günther Deschner <g...@samba.org>
+ * BUG 12245: fix _spoolss_GetPrinterDataEx by moving the keyname
+ length check.
+
+o Stefan Metzmacher <me...@samba.org>
+ * BUG 11994: smbclient fails to connect to Azure or Apple share spnego
+ fails with no mechListMIC.
+
+o Martin Schwenke <mar...@meltin.net>
+ * BUG 12180: CTDB crashes running eventscripts.
+
+
+CHANGES SINCE 4.5.0rc2
+======================
+
+o Michael Adam <ob...@samba.org>
+ * BUG 12155: Some idmap backends don't perform range checks for the
result
+ of sids_to_xids.
+
+o Jeremy Allison <j...@samba.org>
+ * BUG 12115: Endless loop on drsuapi pull replication after schema changes.
+ * BUG 12135: net ads gpo refresh can crash with null pointer deref..
+ * BUG 12139: Race between break oplock and check for share_mode.
+ * BUG 12150: SMB2 snapshot query fails on DFS shares..
+ * BUG 12165: smbclient allinfo doesn't correctly return
'previous version'
+ info over SMB1.
+ * BUG 12166: smbclient allinfo doesn't correctly return
'previous version'
+ info over SMB2.
+ * BUG 12174: error: 'conn' undeclared.
+
+o Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
+ * BUG 12143: misnamed attribute in samba_kcc causes exception in unusual
+ circumstances.
+ * BUG 12187: Backport changes for partial attribute set calculation
+ for 4.5.
+
+o Andrew Bartlett <abart...@samba.org>
+ * BUG 12107: backport backupkey tests.
+ * BUG 12115: Endless loop on drsuapi pull replication after schema changes.
+ * BUG 12128: Correctly resolve replicated schema changes regarding linked
+ attributes.
+
+o Amitay Isaacs <ami...@gmail.com>
+ * BUG 12137: Fix printf format non-liternal warnings and printf
+ format errors.
+ * BUG 12138: Fix uninitialized timeout in ctdb_pmda.
+ * BUG 12151: Drop resurrected ctdb commands in new ctdb tool.
+ * BUG 12152: Fix ctdb addip; implementation to match ctdb delip.
+ * BUG 12163: Fix missing arguments and format elements in format strings.
+ * BUG 12168: Fix format-nonliteral warnings.
+
+o Stefan Metzmacher <me...@samba.org>
+ * BUG 12108: Backport selftest/autobuild fixes to v4-5-test.
+ * BUG 12114: In memory schema updated on non schema master.
+ * BUG 12115: Endless loop on drsuapi pull replication after schema changes.
+ * BUG 12128: Correctly resolve replicated schema changes regarding
+ linked attributes.
+ * BUG 12129: let samba-tool ldapcmp ignore whenChanged.
+
+o Garming Sam <garm...@catalyst.net.nz>
+ * BUG 12187: Backport changes for partial attribute set calculation
+ for 4.5.
+
+o Andreas Schneider <a...@samba.org>
+ * BUG 12175: smbget always prompts for a username.
+
+o Christof Schmitt <c...@samba.org>
+ * BUG 12150: SMB2 snapshot query fails on DFS shares..
+
+o Martin Schwenke <mar...@meltin.net>
+ * BUG 12157: Coverity and related fixes.
+ * BUG 12158: CTDB release IP fixes.
+ * BUG 12161: Fix CTDB cumulative takeover timeout.
+ * BUG 12170: CTDB test runs can kill each other's ctdbd daemons.
+
+o Uri Simchoni <u...@samba.org>
+ * BUG 12145: smbd: if inherit owner is enabled, the free disk on a folder
+ should take the owner's quota into account.
+ * BUG 12149: smbd: cannot load a Windows device driver from a Samba share
+ via SMB2.
+ * BUG 12172: a snapshot folder cannot be accessed via SMB1.
+
+
+CHANGES SINCE 4.5.0rc1
+======================
+
+o Ralph Boehme <s...@samba.org>
+ * BUG 12005: parse_share_modes() chokes on ctdb tombstone record from ltdb.
+ * BUG 12105: smbclient connection to not reachable IP eats 100% CPU.
+
+o Ira Cooper <i...@samba.org>
+ * BUG 12133: source3/wscript: Add support for disabling vfs_cephfs.
+
+o Amitay Isaacs <ami...@gmail.com>
+ * BUG 12121: ctdb-tools: Fix numerous Coverity IDs and other issues.
+ * BUG 12122: If a transaction fails, it should be canceled and transaction
+ handle should be freed.
+ * BUG 12134: dbwrap: Fix structure initialization.
+
+o Marc Muehlfeld <mmuehlf...@samba.org>
+ * BUG 12023: man: Fix wrong option for parameter "ldap ssl" in
smb.conf
+ man page.
+
+o Andreas Schneider <a...@samba.org>
+ * BUG 12104: ctdb-waf: Move ctdb tests to libexec directory.
+
+o Martin Schwenke <mar...@meltin.net>
+ * BUG 12104: ctdb-packaging: Move ctdb tests to libexec directory.
+ * BUG 12109: Fixes several CTDB tests.
+ * BUG 12110: Fix numerous Coverity IDs.
+ * BUG 12113: ctdb-mutex: Avoid corner case where helper is already
+ reparented to init.
--
Samba Website Repository
