The branch, v4-7-test has been updated
via 4cc6517 WHATSNEW: We generate SHA265 certificates now
via 2ab073a WHATSNEW: warn against using the RODC on older Samba
versions
via 4dfa810 WHATSNEW: explain that we may use much more RAM and SWAP
with multi-process LDAP
via d6a9f6b WHATSNEW: fix spelling
from eb299c6 s4-drsuapi: Avoid segfault when replicating as a non-admin
with GUID_DRS_GET_CHANGES
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test
- Log -----------------------------------------------------------------
commit 4cc6517a170f075a14375d64c56d7690c93a1e29
Author: Andrew Bartlett <abart...@samba.org>
Date: Mon Aug 28 21:37:16 2017 +1200
WHATSNEW: We generate SHA265 certificates now
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Autobuild-User(v4-7-test): Karolin Seeger <ksee...@samba.org>
Autobuild-Date(v4-7-test): Wed Sep 6 14:21:15 CEST 2017 on sn-devel-144
commit 2ab073a1ab9fa76337ca01e7dbc050795ec439ce
Author: Andrew Bartlett <abart...@samba.org>
Date: Mon Aug 28 21:36:14 2017 +1200
WHATSNEW: warn against using the RODC on older Samba versions
Signed-off-by: Andrew Bartlett <abart...@samba.org>
commit 4dfa810ed569406387bbb4abd636ab3c7543c8f9
Author: Andrew Bartlett <abart...@samba.org>
Date: Mon Aug 28 21:35:56 2017 +1200
WHATSNEW: explain that we may use much more RAM and SWAP with multi-process
LDAP
Signed-off-by: Andrew Bartlett <abart...@samba.org>
commit d6a9f6be321f7f2489df934dc57362f09b5f3863
Author: Andrew Bartlett <abart...@samba.org>
Date: Mon Aug 28 21:35:34 2017 +1200
WHATSNEW: fix spelling
Signed-off-by: Andrew Bartlett <abart...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 22 ++++++++++++++++++++--
1 file changed, 20 insertions(+), 2 deletions(-)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index c58c297..8ba321f 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -53,7 +53,7 @@ Whole DB read locks: Improved LDAP and replication consistency
--------------------------------------------------------------
Prior to Samba 4.7 and ldb 1.2.0, the LDB database layer used by Samba
-erronously did not take whole-DB read locks to protect search
+erroneously did not take whole-DB read locks to protect search
and DRS replication operations.
While each object returned remained subject to a record-level lock (so
@@ -150,7 +150,8 @@ the rest of the 'samba' process, rather than being forced
into a single
process. This aids in Samba's ability to scale to larger numbers of AD
clients and the AD DC's overall resiliency, but will mean that there is a
fork()ed child for every LDAP client, which may be more resource
-intensive in some situations.
+intensive in some situations. If you run Samba in a
+resource-constrained VM, consider allocating more RAM and swap space.
Improved Read-Only Domain Controller (RODC) Support
---------------------------------------------------
@@ -172,6 +173,14 @@ The reliability of RODCs locating a writable partner still
requires some
improvements and so the 'password server' configuration option is generally
recommended on the RODC.
+Samba 4.7 is the first Samba release to be secure as an RODC or when
+hosting an RODC. If you have been using earlier Samba versions to
+host or be an RODC, please upgrade.
+
+In particular see https://bugzilla.samba.org/show_bug.cgi?id=12977 for
+details on the security implications for password disclosure to an
+RODC using earlier versions.
+
Additional password hashes stored in supplementalCredentials
------------------------------------------------------------
@@ -247,6 +256,15 @@ the talloc_autofree_context() (which is inherently
thread-unsafe)
and still be valgrind-clean on exit. Modules that don't need to
free long-lived data on exit should use the NULL talloc context.
+SHA256 LDAPS Certificates
+-------------------------
+
+The self-signed certificate generated for use on LDAPS will now be
+generated with a SHA256 self-signature, not a SHA1 self-signature.
+
+Replacing this certificate with a certificate signed by a trusted
+CA is still highly recommended.
+
CTDB changes
------------
--
Samba Shared Repository
