The branch, master has been updated
via 11d3b0f Add Samba 4.8.0 to the list of releases.
via 963ba19 NEWS[4.8.0]: Samba 4.8.0 Available for Download
from 1e77789 Add backports for CVE-2018-1057 on top of 4.3.13 and 4.4.16
https://git.samba.org/?p=samba-web.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 11d3b0ff5e062f2bb9fab08422ebfbab6275a461
Author: Karolin Seeger <[email protected]>
Date: Tue Mar 13 20:19:28 2018 +0100
Add Samba 4.8.0 to the list of releases.
Signed-off-by: Karolin Seeger <[email protected]>
commit 963ba19f03bcf15efbdcc5d829aadb34d9c4ddb4
Author: Karolin Seeger <[email protected]>
Date: Tue Mar 13 20:17:15 2018 +0100
NEWS[4.8.0]: Samba 4.8.0 Available for Download
Signed-off-by: Karolin Seeger <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
history/header_history.html | 1 +
history/samba-4.8.0.html | 463 ++++++++++++++++++++++++
posted_news/20180313-191846.4.8.0.body.html | 12 +
posted_news/20180313-191846.4.8.0.headline.html | 3 +
4 files changed, 479 insertions(+)
create mode 100644 history/samba-4.8.0.html
create mode 100644 posted_news/20180313-191846.4.8.0.body.html
create mode 100644 posted_news/20180313-191846.4.8.0.headline.html
Changeset truncated at 500 lines:
diff --git a/history/header_history.html b/history/header_history.html
index 7215d25..6bead01 100755
--- a/history/header_history.html
+++ b/history/header_history.html
@@ -9,6 +9,7 @@
<li><a href="/samba/history/">Release Notes</a>
<li class="navSub">
<ul>
+ <li><a href="samba-4.8.0.html">samba-4.8.0</a></li>
<li><a href="samba-4.7.6.html">samba-4.7.6</a></li>
<li><a href="samba-4.7.5.html">samba-4.7.5</a></li>
<li><a href="samba-4.7.4.html">samba-4.7.4</a></li>
diff --git a/history/samba-4.8.0.html b/history/samba-4.8.0.html
new file mode 100644
index 0000000..9454066
--- /dev/null
+++ b/history/samba-4.8.0.html
@@ -0,0 +1,463 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
+<html xmlns="http://www.w3.org/1999/xhtml";>
+<head>
+<title>Samba 4.8.0 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.8.0 Available for Download</H2>
+<p>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.8.0.tar.gz";>Samba
4.8.0 (gzipped)</a><br>
+<a
href="https://download.samba.org/pub/samba/stable/samba-4.8.0.tar.asc";>Signature</a>
+</p>
+<p>
+<pre>
+ =============================
+ Release Notes for Samba 4.8.0
+ March 13, 2018
+ =============================
+
+
+This is the first stable release of the Samba 4.8 release series.
+Please read the release notes carefully before upgrading.
+
+
+UPGRADING
+=========
+
+New GUID Index mode in sam.ldb for the AD DC
+--------------------------------------------
+
+Users who upgrade a Samba AD DC in-place will experience a short delay
+in the first startup of Samba while the sam.ldb is re-indexed.
+
+Unlike in previous releases a transparent downgrade is not possible.
+If you wish to downgrade such a DB to a Samba 4.7 or earlier version,
+please run the source4/scripting/bin/sambaundoguididx script first.
+
+Domain member setups require winbindd
+-------------------------------------
+
+Setups with "security = domain" or "security = ads"
require a
+running 'winbindd' now. The fallback that smbd directly contacts
+domain controllers is gone.
+
+smbclient reparse point symlink parameters reversed
+---------------------------------------------------
+
+See the more detailed description below.
+
+Changed trusted domains listing with wbinfo -m --verbose
+--------------------------------------------------------
+
+See the more detailed description below.
+
+NEW FEATURES/CHANGES
+====================
+
+New GUID Index mode in sam.ldb for the AD DC
+--------------------------------------------
+
+The new layout used for sam.ldb is GUID, rather than DN oriented.
+This provides Samba's Active Directory Domain Controller with a faster
+database, particularly at larger scale.
+
+The underlying DB is still TDB, simply the choice of key has changed.
+
+The new mode is not optional, so no configuration is required. Older
+Samba versions cannot read the new database (see the upgrade
+note above).
+
+KDC GPO application
+-------------------
+
+Adds Group Policy support for the Samba kdc. Applies password policies
+(minimum/maximum password age, minimum password length, and password
+complexity) and kerberos policies (user/service ticket lifetime and
+renew lifetime).
+
+Adds the samba_gpoupdate script for applying and unapplying
+policy. Can be applied automatically by setting
+
+ 'apply group policies = yes'.
+
+Time Machine Support with vfs_fruit
+-----------------------------------
+
+Samba can be configured as a Time Machine target for Apple Mac devices
+through the vfs_fruit module. When enabling a share for Time Machine
+support the relevant Avahi records to support discovery will be published
+for installations that have been built against the Avahi client library.
+
+Shares can be designated as a Time Machine share with the following setting:
+
+ 'fruit:time machine = yes'
+
+Support for lower casing the MDNS Name
+--------------------------------------
+
+Allows the server name that is advertised through MDNS to be set to the
+hostname rather than the Samba NETBIOS name. This allows an administrator
+to make Samba registered MDNS records match the case of the hostname
+rather than being in all capitals.
+
+This can be set with the following settings:
+
+ 'mdns name = mdns'
+
+Encrypted secrets
+-----------------
+
+Attributes deemed to be sensitive are now encrypted on disk. The sensitive
+values are currently:
+ pekList
+ msDS-ExecuteScriptPassword
+ currentValue
+ dBCSPwd
+ initialAuthIncoming
+ initialAuthOutgoing
+ lmPwdHistory
+ ntPwdHistory
+ priorValue
+ supplementalCredentials
+ trustAuthIncoming
+ trustAuthOutgoing
+ unicodePwd
+ clearTextPassword
+
+This encryption is enabled by default on a new provision or join, it
+can be disabled at provision or join time with the new option
+'--plaintext-secrets'.
+
+However, an in-place upgrade will not encrypt the database.
+
+Once encrypted, it is not possible to do an in-place downgrade (eg to
+4.7) of the database. To obtain an unencrypted copy of the database a
+new DC join should be performed, specifying the '--plaintext-secrets'
+option.
+
+The key file "encrypted_secrets.key" is created in the same directory
+as the database and should NEVER be disclosed. It is included by the
+samba_backup script.
+
+Active Directory replication visualisation
+------------------------------------------
+
+To work out what is happening in a replication graph, it is sometimes
+helpful to use visualisations. We introduce a samba-tool subcommand to
+write Graphviz dot output and generate text-based heatmaps of the
+distance in hops between DCs.
+
+There are two subcommands, two graphical modes, and (roughly) two modes of
+operation with respect to the location of authority.
+
+`samba-tool visualize ntdsconn` looks at NTDS Connections.
+`samba-tool visualize reps` looks at repsTo and repsFrom objects.
+
+In '--distance' mode (default), the distances between DCs are shown
in
+a matrix in the terminal. With '--color=yes', this is depicted as a
+heatmap. With '--utf8' it is a lttle prettier.
+
+In '--dot' mode, Graphviz dot output is generated. When viewed using
+dot or xdot, this shows the network as a graph with DCs as vertices
+and connections edges. Certain types of degenerate edges are shown in
+different colours or line-styles.
+
+smbclient reparse point symlink parameters reversed
+---------------------------------------------------
+
+A bug in smbclient caused the 'symlink' command to reverse the
+meaning of the new name and link target parameters when creating a
+reparse point symlink against a Windows server. As this is a
+little used feature the ordering of these parameters has been
+reversed to match the parameter ordering of the UNIX extensions
+'symlink' command. The usage message for this command has also
+been improved to remove confusion.
+
+Winbind changes
+---------------
+
+The dependency to global list of trusted domains within
+the winbindd processes has been reduced a lot.
+
+The construction of that global list is not reliable and often
+incomplete in complex trust setups. In most situations the list is not needed
+any more for winbindd to operate correctly. E.g. for plain file serving via SMB
+using a simple idmap setup with autorid, tdb or ad. However some more complex
+setups require the list, e.g. if you specify idmap backends for specific
+domains. Some pam_winbind setups may also require the global list.
+
+If you have a setup that doesn't require the global list, you should set
+"winbind scan trusted domains = no".
+
+Improved support for trusted domains (as AD DC)
+-----------------------------------------------
+
+The support for trusted domains/forests has improved a lot.
+
+External domain trusts, as well a transitive forest trusts,
+are supported in both directions (inbound and outbound)
+for Kerberos and NTLM authentication now.
+
+The LSA LookupNames and LookupSids implementations
+support resolving names and sids from trusts domains/forest
+now. This is important in order to allow Samba based
+domain members to make use of the trust.
+
+However there are currently still a few limitations:
+
+- It's not possible to add users/groups of a trusted domain
+ into domain groups. So group memberships are not expanded
+ on trust boundaries.
+ See https://bugzilla.samba.org/show_bug.cgi?id=13300
+- Both sides of the trust need to fully trust each other!
+- No SID filtering rules are applied at all!
+- This means DCs of domain A can grant domain admin rights
+ in domain B.
+- Selective (CROSS_ORIGANIZATION) authentication is
+ not supported. It's possible to create such a trust,
+ but the KDC and winbindd ignore them.
+
+Changed trusted domains listing with wbinfo -m --verbose
+--------------------------------------------------------
+
+The trust properties printed by wbinfo -m --verbose have been changed to
+correctly reflect the view of the system where wbinfo is executed.
+
+The trust type field in particular can show additional values that correctly
+reflect the type of the trust: "Local" for the local SAM and BUILTIN,
+"Workstation" for a workstation trust to the primary domain,
"RWDC" for the SAM
+on a AD DC, "RODC" for the SAM on a read-only DC, "PDC"
for the SAM on a
+NT4-style DC, "Forest" for a AD forest trust and
"External" for quarantined,
+external or NT4-style trusts.
+
+Indirect trusts are shown as "Routed" including the routing domain.
+
+Example, on a AD DC (SDOM1):
+
+Domain Name DNS Domain Trust Type Transitive In Out
+BUILTIN Local
+SDOM1 sdom1.site RWDC
+WDOM3 wdom3.site Forest Yes No Yes
+WDOM2 wdom2.site Forest Yes Yes Yes
+SUBDOM31 subdom31.wdom3.site Routed (via WDOM3)
+SUBDOM21 subdom21.wdom2.site Routed (via WDOM2)
+
+Same setup, on a member of WDOM2:
+
+Domain Name DNS Domain Trust Type Transitive In Out
+BUILTIN Local
+TITAN Local
+WDOM2 wdom2.site Workstation Yes No Yes
+WDOM1 wdom1.site Routed (via WDOM2)
+WDOM3 wdom3.site Routed (via WDOM2)
+SUBDOM21 subdom21.wdom2.site Routed (via WDOM2)
+SDOM1 sdom1.site Routed (via WDOM2)
+SUBDOM11 subdom11.wdom1.site Routed (via WDOM2)
+
+The list of trusts may be incomplete and additional domains may appear as
+"Routed" if a user of an unknown domain is successfully
authenticated.
+
+VirusFilter VFS module
+----------------------
+
+This new module integrates with Sophos, F-Secure and ClamAV anti-virus
+software to provide scanning and filtering of files on a Samba share.
+
+
+REMOVED FEATURES
+================
+
+'net serverid' commands removed
+-------------------------------
+
+The two commands 'net serverid list' and 'net serverid
wipe' have been
+removed, because the file serverid.tdb is not used anymore.
+
+'net serverid list' can be replaced by listing all files in the
+subdirectory "msg.lock" of Samba's "lock directory".
The unique id
+listed by 'net serverid list' is stored in every process'
lockfile in
+"msg.lock".
+
+'net serverid wipe' is not necessary anymore. It was meant primarily
+for clustered environments, where the serverid.tdb file was not
+properly cleaned up after single node crashes. Nowadays smbd and
+winbind take care of cleaning up the msg.lock and msg.sock directories
+automatically.
+
+NT4-style replication based net commands removed
+------------------------------------------------
+
+The following commands and sub-commands have been removed from the
+"net" utility:
+
+net rpc samdump
+net rpc vampire ldif
+
+Also, replicating from a real NT4 domain with "net rpc vampire" and
+"net rpc vampire keytab" has been removed.
+
+The NT4-based commands were accidentally broken in 2013, and nobody
+noticed the breakage. So instead of fixing them including tests (which
+would have meant writing a server for the protocols, which we don't
+have) we decided to remove them.
+
+For the same reason, the "samsync", "samdeltas" and
"database_redo"
+commands have been removed from rpcclient.
+
+"net rpc vampire keytab" from Active Directory domains continues to
be
+supported.
+
+vfs_aio_linux module removed
+----------------------------
+
+The current Linux kernel aio does not match what Samba would
+do. Shipping code that uses it leads people to false
+assumptions. Samba implements async I/O based on threads by default,
+there is no special module required to see benefits of read and write
+request being sent do the disk in parallel.
+
+
+smb.conf changes
+================
+
+ Parameter Name Description Default
+ -------------- ----------- -------
+ apply group policies New no
+ auth methods Removed
+ binddns dir New
+ client schannel Default changed/ yes
+ Deprecated
+ gpo update command New
+ ldap ssl ads Deprecated
+ map untrusted to domain Removed
+ oplock contention limit Removed
+ prefork children New 1
+ mdns name New netbios
+ fruit:time machine New false
+ profile acls Removed
+ use spnego Removed
+ server schannel Default changed/ yes
+ Deprecated
+ unicode Deprecated
+ winbind scan trusted domains New yes
+ winbind trusted domains only Removed
+
+
+CHANGES SINCE 4.8.0rc4
+======================
+
+o Jeremy Allison <[email protected]>
+ * BUG 11343: CVE-2018-1050: Codenomicon crashes in spoolss server code.
+
+o Ralph Boehme <[email protected]>
+ * BUG 13272: CVE-2018-1057: Unprivileged user can change any user (and
admin)
+ password.
+ * BUG 13313: nsswitch: Fix wbinfo -m --verbose trust type "Local".
+
+o Stefan Metzmacher <[email protected]>
+ * BUG 13272: CVE-2018-1057: Unprivileged user can change any user (and
admin)
+ password.
+
+o Dan Robertson <[email protected]>
+ * BUG 13310: libsmb: Use smb2 tcon if conn_protocol >= SMB2_02.
+
+o Andreas Schneider <[email protected]>
+ * BUG 13315: s3:smbd: Do not crash if we fail to init the session table.
+
+
+CHANGES SINCE 4.8.0rc3
+======================
+
+o Ralph Boehme <[email protected]>
+ * BUG 13287: Fix numerous trust related bugs in winbindd and s4 LSA RPC
+ server.
+ * BUG 13296: vfs_fruit: Use off_t, not size_t for TM size calculations.
+
+o Alexander Bokovoy <[email protected]>
+ * BUG 13304: mit-kdb: Support MIT Kerberos 1.16 KDB API changes.
+
+o Günther Deschner <[email protected]>
+ * BUG 13277: build: Fix libceph-common detection.
+
+o Poornima G <[email protected]>
+ * BUG 13297: vfs_glusterfs: Fix the wrong pointer being sent in
+ glfs_fsync_async.
+
+o Volker Lendecke <[email protected]>
+ * BUG 13305: vfs_fileid: Fix the 32-bit build.
+
+o Stefan Metzmacher <[email protected]>
+ * BUG 13206: Unable to authenticate with an empty string domain
''.
+ * BUG 13276: configure aborts without libnettle/gnutls.
+ * BUG 13278: winbindd (on an AD DC) should only use netlogon/lsa against
+ trusted domains.
+ * BUG 13287: Fix numerous trust related bugs in winbindd and s4 LSA RPC
+ server.
+ * BUG 13290: A disconnecting winbind client can cause a problem in
+ the winbind parent child communication.
+ * BUG 13291: tevent: version 0.9.36.
+ * BUG 13292: winbind requests could get stuck in the queue of a busy child,
+ while later requests could get served fine by other children.
+ * BUG 13293: Minimize the lifetime of
winbindd_cli_state->{pw,gr}ent_state.
+ * BUG 13294: Avoid using fstrcpy(domain->dcname,...) on a char *.
+ * BUG 13295: winbind parent should find the dc of a foreign domain via the
+ primary domain.
+ * BUG 13299: Disable support for CROSS_ORGANIZATION domains.
+ * BUG 13306: ldb: version 1.3.2.
+
+o Sachin Prabhu <[email protected]>
+ * BUG 13303: vfs_glusterfs: Add fallocate support for vfs_glusterfs.
+
+o Garming Sam <[email protected]>
+ * BUG 13031: subnet: Avoid a segfault when renaming subnet objects.
+ * BUG 13269: RODC may skip objects during replication due to naming
+ conflicts.
+
+
+CHANGES SINCE 4.8.0rc2
+======================
+
+o Trever L. Adams <[email protected]>
+ * BUG 13246: Backport Samba VirusFilter.
+
+o Ralph Boehme <[email protected]>
+ * BUG 13228: dbcheck: Add support for restoring missing forward links.
+
+o Günther Deschner <[email protected]>
+ * BUG 13221: python: fix the build with python3.
+
+o Stefan Metzmacher <[email protected]>
+ * BUG 13228: dbcheck: Add support for restoring missing forward links.
+
+
+CHANGES SINCE 4.8.0rc1
+======================
+
+o Günther Deschner <[email protected]>
+ * BUG 13227: packaging: Fix default systemd-dir path.
+ * BUG 13238: build: Deal with recent glibc sunrpc header removal.
+
+o Stefan Metzmacher <[email protected]>
+ * BUG 13228: repl_meta_data: fix linked attribute corruption on databases
+ with unsorted links on expunge.
+
+o Christof Schmitt <[email protected]>
+ * BUG 13217: s3/smbd: Remove file system sharemode before calling unlink.
+
+o Andreas Schneider <[email protected]>
+ * BUG 13209: Small improvements in winbindd for the resource cleanup in
error
+ cases.
+ * BUG 13238: Make Samba work with tirpc and libnsl2.
+
+
+KNOWN ISSUES
+============
+
+https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.8#Release_blocking_bugs
+
+
+</pre>
+</p>
+</body>
+</html>
diff --git a/posted_news/20180313-191846.4.8.0.body.html
b/posted_news/20180313-191846.4.8.0.body.html
new file mode 100644
index 0000000..449d688
--- /dev/null
+++ b/posted_news/20180313-191846.4.8.0.body.html
@@ -0,0 +1,12 @@
+<!-- BEGIN: posted_news/20180313-191846.4.8.0.body.html -->
+<h5><a name="4.8.0">13 March 2018</a></h5>
+<p class=headline>Samba 4.8.0 Available for Download</p>
+<p>
+This is the latest stable release of the Samba 4.8 release series.
+</p>
+<p>
+The uncompressed tarball has been signed using GnuPG (ID 6F33915B6568B7EA).
+The source code can be <a
href="https://download.samba.org/pub/samba/stable/samba-4.8.0.tar.gz";>downloaded
now</a>.
+See <a href="https://www.samba.org/samba/history/samba-4.8.0.html";>the release
notes for more info</a>.
+</p>
+<!-- END: posted_news/20180313-191846.4.8.0.body.html -->
diff --git a/posted_news/20180313-191846.4.8.0.headline.html
b/posted_news/20180313-191846.4.8.0.headline.html
--
Samba Website Repository
