The branch, master has been updated via 3d12b42 NEWS[4.5.0]: Samba 4.5.0 Available for Download from b6efe01 Add "Release Planning" to the releases box
https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 3d12b42878ea6dbc8c615fc11bdaf0b273410437 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Sep 7 16:58:49 2016 +0200 NEWS[4.5.0]: Samba 4.5.0 Available for Download Signed-off-by: Stefan Metzmacher <me...@samba.org> ----------------------------------------------------------------------- Summary of changes: history/samba-4.5.0.html | 504 ++++++++++++++++++++++++ posted_news/20160907-150254.4.5.0.body.html | 12 + posted_news/20160907-150254.4.5.0.headline.html | 3 + 3 files changed, 519 insertions(+) create mode 100644 history/samba-4.5.0.html create mode 100644 posted_news/20160907-150254.4.5.0.body.html create mode 100644 posted_news/20160907-150254.4.5.0.headline.html Changeset truncated at 500 lines: diff --git a/history/samba-4.5.0.html b/history/samba-4.5.0.html new file mode 100644 index 0000000..78920a1 --- /dev/null +++ b/history/samba-4.5.0.html @@ -0,0 +1,504 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> +<head> +<title>Samba 4.5.0 - Release Notes</title> +</head> +<body> +<H2>Samba 4.5.0 Available for Download</H2> +<p> +<a href="https://download.samba.org/pub/samba/stable/samba-4.5.0.tar.gz">Samba 4.5.0 (gzipped)</a><br> +<a href="https://download.samba.org/pub/samba/stable/samba-4.5.0.tar.asc">Signature</a> +</p> +<p> +<pre> + ============================= + Release Notes for Samba 4.5.0 + September 7, 2016 + ============================= + + +This is the first stable release of the Samba 4.5 release series. + + +UPGRADING +========= + +NTLMv1 authentication disabled by default +----------------------------------------- + +In order to improve security we have changed +the default value for the "ntlm auth" option from +"yes" to "no". This may have impact on very old +clients which doesn't support NTLMv2 yet. + +The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x. + +By default, Samba will only allow NTLMv2 via NTLMSSP now, +as we have the following default "lanman auth = no", +"ntlm auth = no" and "raw NTLMv2 auth = no". + + +NEW FEATURES/CHANGES +==================== + +Support for LDAP_SERVER_NOTIFICATION_OID +---------------------------------------- + +The ldap server has support for the LDAP_SERVER_NOTIFICATION_OID +control. This can be used to monitor the Active Directory database +for changes. + +KCC improvements for sparse network replication +----------------------------------------------- + +The Samba KCC will now be the default knowledge consistency checker in +Samba AD. Instead of using full mesh replication between every DC, the +KCC will set up connections to optimize replication latency and cost +(using site links to calculate the routes). This change should allow +larger domains to function significantly better in terms of replication +traffic and the time spent performing DRS replication. + +VLV - Virtual List View +----------------------- + +The VLV Control allows applications to page the LDAP directory in the +way you might expect a live phone book application to operate, without +first downloading the entire directory. + +DRS Replication for the AD DC +----------------------------- + +DRS Replication in Samba 4.5 is now much more efficient in handling +linked attributes, particularly in large domains with over 1000 group +memberships or other links. + +Replication is also much more reliable in the handling of tree +renames, such as the rename of an organizational unit containing many +users. Extensive tests have been added to ensure this code remains +reliable, particularly in the case of conflicts between objects added +with the same name on different servers. + +Schema updates are also handled much more reliably. + +samba-tool drs replicate with new options +----------------------------------------- + +'samba-tool drs replicate' got two new options: + +The option '--local-online' will do the DsReplicaSync() via IRPC +to the local dreplsrv service. + +The option '--async-op' will add DRSUAPI_DRS_ASYNC_OP to the +DsReplicaSync(), which won't wait for the replication result. + +replPropertyMetaData Changes +---------------------------- + +During the development of the DRS replication, tests showed that Samba +stores the replPropertyMetaData object incorrectly. To address this, +be aware that 'dbcheck' will now detect and offer to fix all objects in +the domain for this error. + +For further information and instructions how to fix the problem, see +https://wiki.samba.org/index.php/Updating_Samba#Fixing_replPropertyMetaData_Attributes + +Linked attributes on deleted objects +------------------------------------ + +In Active Directory, an object that has been tombstoned or recycled +has no linked attributes. However, Samba incorrectly maintained such +links, slowing replication and run-time performance. 'dbcheck' now +offers to remove such links, and they are no longer kept after the +object is tombstoned or recycled. + +Improved AD DC performance +-------------------------- + +Many other improvements have been made to our LDAP database layer in +the AD DC, to improve performance, both during 'samba-tool domain +provision' and at runtime. + +Other dbcheck improvements +-------------------------- + + - 'samba-tool dbcheck' can now find and fix a missing or corrupted + 'deleted objects' container. + - BUG 11433: samba-dbcheck no longer offers to resort auxiliary class values + in objectClass as these were then re-sorted at the next dbcheck indefinitely. + +Tombstone Reanimation +--------------------- + +Samba now supports tombstone reanimation, a feature in the AD DC +allowing tombstones, that is objects which have been deleted, to be +restored with the original SID and GUID still in place. + +Multiple DNS Forwarders on the AD DC +------------------------------------ + +Previously, the Samba internal DNS server supported only one DNS forwarder. +The "dns forwarder" option has been enhanced and now supports a space-separated +list of multiple DNS server IP addresses. As a result, Samba is now able to +fall back to alternative DNS servers. In case that a DNS query to the first +server timed out, it is sent to the next DNS server listed in the option. + +Password quality plugin support in the AD DC +-------------------------------------------- + +The check password script now operates correctly in the AD DC. + +pwdLastSet is now correctly honoured +------------------------------------ + +BUG 9654: The pwdLastSet attribute is now correctly handled (this previously +permitted passwords that expire next). + +net ads dns unregister +---------------------- + +It is now possible to remove the DNS entries created with 'net ads register' +with the matching 'net ads unregister' command. + +samba-tool improvements +------------------------ + +Running 'samba-tool' on the command line should now be a lot snappier. The tool +now only loads the code specific to the subcommand that you wish to run. + +SMB 2.1 Leases enabled by default +--------------------------------- + +Leasing is an SMB 2.1 (and higher) feature which allows clients to +aggressively cache files locally above and beyond the caching allowed +by SMB 1 oplocks. This feature was disabled in previous releases, but +the SMB2 leasing code is now considered mature and stable enough to be +enabled by default. + +Open File Description (OFD) Locks +--------------------------------- + +On systems that support them (currently only Linux), the fileserver now +uses Open File Description (OFD) locks instead of POSIX locks to implement +client byte range locks. As these locks are associated with a specific +file descriptor on a file this allows more efficient use when multiple +descriptors having file locks are opened onto the same file. An internal +tunable "smbd:force process locks = true" may be used to turn off OFD +locks if there appear to be problems with them. + +Password sync as Active Directory domain controller +--------------------------------------------------- + +The new commands 'samba-tool user getpassword' +and 'samba-tool user syncpasswords' provide +access and syncing of various password fields. + +If compiled with GPGME support (--with-gpgme) it's +possible to store cleartext passwords in a PGP/OpenGPG +encrypted form by configuring the new "password hash gpg key ids" +option. This requires gpgme devel and python packages to be installed +(e.g. libgpgme11-dev and python-gpgme on Debian/Ubuntu). + +Python crypto requirements +-------------------------- + +Some 'samba-tool' subcommands require python-crypto and/or +python-m2crypto packages to be installed. + +SmartCard/PKINIT improvements +----------------------------- + +'samba-tool user create' accepts "--smartcard-required" +and 'samba-tool user setpassword' accepts "--smartcard-required" +and "--clear-smartcard-required". + +Specifying "--smartcard-required" results in the UF_SMARTCARD_REQUIRED +flags being set in the userAccountControl attribute. +At the same time, the account password is reset to a random +NTHASH value. + +Interactive password logons are rejected, if the UF_SMARTCARD_REQUIRED +bit is set in the userAccountControl attribute of a user. + +When doing a PKINIT based Kerberos logon the KDC adds the +required PAC_CREDENTIAL_INFO element to the authorization data. +That means the NTHASH is shared between the PKINIT based client and +the domain controller, which allows the client to do NTLM based +authentication on behalf of the user. It also allows an offline +logon using a smartcard to work on Windows clients. + +CTDB changes +------------ + +* New improved 'ctdb tool' + + 'ctdb tool' has been completely rewritten using new client API. + Usage messages are much improved. + +* Sample CTDB configuration file is installed as ctdbd.conf. + +* The use of real-time scheduling when taking locks has been narrowed + to limit potential performance impacts on nodes. + +* CTDB_RECOVERY_LOCK now supports specification of an external helper + to take and hold the recovery lock. + + See the RECOVERY LOCK section in ctdb(7) for details. Documentation + for writing helpers is provided in doc/cluster_mutex_helper.txt. + +* "ctdb natgwlist" has been replaced by a top level "ctdb natgw" + command that has "master", "list" and "status" subcommands. + +* The 'onnode' command no longer supports the "recmaster", "lvs" and + "natgw" node specifications. + +* Faster resetting of TCP connections to public IP addresses during + failover. + +* Tunables MaxRedirectCount, ReclockPingPeriod, + DeferredRebalanceOnNodeAdd are now obsolete/ignored. + +* "ctdb listvars" now lists all variables, including the first one. + +* "ctdb xpnn", "ctdb rebalanceip" and "ctdb rebalancenode" have been + removed. + + These are not needed because "ctdb reloadips" should do the correct + rebalancing. + +* Output for the following commands has been simplified: + + ctdb getdbseqnum + ctdb getdebug + ctdb getmonmode + ctdb getpid + ctdb getreclock + ctdb getpid + ctdb pnn + + These now simply print the requested output with no preamble. This + means that scripts no longer need to strip part of the output. + + "ctdb getreclock" now prints nothing when the recovery lock is not + set. + +* Output for the following commands has been improved: + + ctdb setdebug + ctdb uptime + +* 'ctdb process-exists' has been updated to only take a PID argument. + + The PNN can be specified with -n <PNN>. Output also cleaned up. + +* LVS support has been reworked - related commands and configuration + variables have changed. + + 'ctdb lvsmaster' and 'ctdb lvs' have been replaced by a top level + 'ctdb lvs' command that has 'master', 'list' and 'status' + subcommands. + + See the LVS sections in ctdb(7) and ctdbd.conf(5) for details, + including configuration changes. + +* Improved sample NFS Ganesha call-out. + +New shadow_copy2 options +------------------------ + +* shadow:snapprefix + + With growing number of snapshots file-systems need some mechanism to + differentiate one set of snapshots from other, e.g. monthly, weekly, manual, + special events, etc. Therefore, these file-systems provide different ways to tag + snapshots, e.g. provide a configurable way to name snapshots, which is not just + based on time. With only shadow:format it is very difficult to filter these + snapshots. With this optional parameter, one can specify a variable prefix + component for names of the snapshot directories in the file-system. If this + parameter is set, together with the shadow:format and shadow:delimiter + parameters it determines the possible names of snapshot directories in the + file-system. The option only supports Basic Regular Expression (BRE). + +* shadow:delimiter + + This optional parameter is used as a delimiter between "shadow:snapprefix" and + "shadow:format". This parameter is used only when "shadow:snapprefix" is set. + + Default: shadow:delimiter = "_GMT" + + +REMOVED FEATURES +================ + +"only user" and "username" parameters +------------------------------------- + +These two parameters have long been deprecated and superseded by +"valid users" and "invalid users". + + +smb.conf changes +================ + + Parameter Name Description Default + -------------- ----------- ------- + kccsrv:samba_kcc Changed default yes + ntlm auth Changed default no + only user Removed + password hash gpg key ids New + shadow:snapprefix New + shadow:delimiter New _GMT + smb2 leases Changed default yes + username Removed + + +KNOWN ISSUES +============ + +While a lot of schema replication bugs were fixed in this release +Bug 12204 - Samba fails to replicate schema 69 +(https://bugzilla.samba.org/show_bug.cgi?id=12204) is still open. +The replication fails if more than 133 schema objects are added +at the same time. + +More open bugs are listed at: +https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.5#All_bugs + + +CHANGES SINCE 4.5.0rc3 +====================== + +o Björn Baumbach <b...@sernet.de> + * BUG 12194: idmap_script: fix missing "IDTOSID" argument in scripts + command line. + +o Andrew Bartlett <abart...@samba.org> + * BUG 12178: samba-tool dbcheck fails to fix replPropertyMetaData. + +o Ralph Boehme <s...@samba.org> + * BUG 12177: Unexpected synthesized default ACL from vfs_acl_xattr. + * BUG 12181: vfs_acl_common not setting filesystem permissions anymore. + * BUG 12184: Loading shared RPC modules failed. + +o Günther Deschner <g...@samba.org> + * BUG 12245: fix _spoolss_GetPrinterDataEx by moving the keyname + length check. + +o Stefan Metzmacher <me...@samba.org> + * BUG 11994: smbclient fails to connect to Azure or Apple share spnego + fails with no mechListMIC. + +o Martin Schwenke <mar...@meltin.net> + * BUG 12180: CTDB crashes running eventscripts. + + +CHANGES SINCE 4.5.0rc2 +====================== + +o Michael Adam <ob...@samba.org> + * BUG 12155: Some idmap backends don't perform range checks for the result + of sids_to_xids. + +o Jeremy Allison <j...@samba.org> + * BUG 12115: Endless loop on drsuapi pull replication after schema changes. + * BUG 12135: net ads gpo refresh can crash with null pointer deref.. + * BUG 12139: Race between break oplock and check for share_mode. + * BUG 12150: SMB2 snapshot query fails on DFS shares.. + * BUG 12165: smbclient allinfo doesn't correctly return 'previous version' + info over SMB1. + * BUG 12166: smbclient allinfo doesn't correctly return 'previous version' + info over SMB2. + * BUG 12174: error: 'conn' undeclared. + +o Douglas Bagnall <douglas.bagn...@catalyst.net.nz> + * BUG 12143: misnamed attribute in samba_kcc causes exception in unusual + circumstances. + * BUG 12187: Backport changes for partial attribute set calculation + for 4.5. + +o Andrew Bartlett <abart...@samba.org> + * BUG 12107: backport backupkey tests. + * BUG 12115: Endless loop on drsuapi pull replication after schema changes. + * BUG 12128: Correctly resolve replicated schema changes regarding linked + attributes. + +o Amitay Isaacs <ami...@gmail.com> + * BUG 12137: Fix printf format non-liternal warnings and printf + format errors. + * BUG 12138: Fix uninitialized timeout in ctdb_pmda. + * BUG 12151: Drop resurrected ctdb commands in new ctdb tool. + * BUG 12152: Fix ctdb addip; implementation to match ctdb delip. + * BUG 12163: Fix missing arguments and format elements in format strings. + * BUG 12168: Fix format-nonliteral warnings. + +o Stefan Metzmacher <me...@samba.org> + * BUG 12108: Backport selftest/autobuild fixes to v4-5-test. + * BUG 12114: In memory schema updated on non schema master. + * BUG 12115: Endless loop on drsuapi pull replication after schema changes. + * BUG 12128: Correctly resolve replicated schema changes regarding + linked attributes. + * BUG 12129: let samba-tool ldapcmp ignore whenChanged. + +o Garming Sam <garm...@catalyst.net.nz> + * BUG 12187: Backport changes for partial attribute set calculation + for 4.5. + +o Andreas Schneider <a...@samba.org> + * BUG 12175: smbget always prompts for a username. + +o Christof Schmitt <c...@samba.org> + * BUG 12150: SMB2 snapshot query fails on DFS shares.. + +o Martin Schwenke <mar...@meltin.net> + * BUG 12157: Coverity and related fixes. + * BUG 12158: CTDB release IP fixes. + * BUG 12161: Fix CTDB cumulative takeover timeout. + * BUG 12170: CTDB test runs can kill each other's ctdbd daemons. + +o Uri Simchoni <u...@samba.org> + * BUG 12145: smbd: if inherit owner is enabled, the free disk on a folder + should take the owner's quota into account. + * BUG 12149: smbd: cannot load a Windows device driver from a Samba share + via SMB2. + * BUG 12172: a snapshot folder cannot be accessed via SMB1. + + +CHANGES SINCE 4.5.0rc1 +====================== + +o Ralph Boehme <s...@samba.org> + * BUG 12005: parse_share_modes() chokes on ctdb tombstone record from ltdb. + * BUG 12105: smbclient connection to not reachable IP eats 100% CPU. + +o Ira Cooper <i...@samba.org> + * BUG 12133: source3/wscript: Add support for disabling vfs_cephfs. + +o Amitay Isaacs <ami...@gmail.com> + * BUG 12121: ctdb-tools: Fix numerous Coverity IDs and other issues. + * BUG 12122: If a transaction fails, it should be canceled and transaction + handle should be freed. + * BUG 12134: dbwrap: Fix structure initialization. + +o Marc Muehlfeld <mmuehlf...@samba.org> + * BUG 12023: man: Fix wrong option for parameter "ldap ssl" in smb.conf + man page. + +o Andreas Schneider <a...@samba.org> + * BUG 12104: ctdb-waf: Move ctdb tests to libexec directory. + +o Martin Schwenke <mar...@meltin.net> + * BUG 12104: ctdb-packaging: Move ctdb tests to libexec directory. + * BUG 12109: Fixes several CTDB tests. + * BUG 12110: Fix numerous Coverity IDs. + * BUG 12113: ctdb-mutex: Avoid corner case where helper is already + reparented to init. -- Samba Website Repository