The branch, v4-15-test has been updated
via 545c0fc8e80 WHATSNEW: add matrix.org and libera
via 0524e0c6548 WHATSNEW: Add various DNS changes
via f8c7428abcf WHATSNEW: reformat for style (mostly Bind9 DLZ
allow/deny)
from 4745b8e8a1b s3:winbindd: Pass the right variable to the debug
message
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test
- Log -----------------------------------------------------------------
commit 545c0fc8e800c853d278773e3b302e9f7e1670c0
Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Date: Fri Jul 9 15:55:58 2021 +1200
WHATSNEW: add matrix.org and libera
Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Autobuild-User(v4-15-test): Jule Anger <jan...@samba.org>
Autobuild-Date(v4-15-test): Thu Aug 26 08:30:58 UTC 2021 on sn-devel-184
commit 0524e0c65484f3cc4da2771beb8df95edad5739e
Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Date: Fri Jul 9 15:55:19 2021 +1200
WHATSNEW: Add various DNS changes
Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
commit f8c7428abcfa08a2a245d9d390d91b50c9908577
Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Date: Fri Jul 9 15:53:40 2021 +1200
WHATSNEW: reformat for style (mostly Bind9 DLZ allow/deny)
Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 126 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-----
1 file changed, 116 insertions(+), 10 deletions(-)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 074767e3251..ec9125ebf1e 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -55,15 +55,17 @@ See also GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt
NEW FEATURES/CHANGES
====================
-- bind DLZ: Added the ability to set allow/deny lists for zone
- transfer clients.
- Up to now, any client could use a DNS zone transfer request
- to the bind server, and get an answer from Samba.
- Now the default behaviour will be to deny those request.
- Two new options have been added to manage the list of
- authorized/denied clients for zone transfer requests.
- In order to be accepted, the request must be issued by a client
- that is in the allow list and NOT in the deny list.
+
+Bind DLZ: add the ability to set allow/deny lists for zone transfer clients
+---------------------------------------------------------------------------
+
+Up to now, any client could use a DNS zone transfer request to the
+bind server, and get an answer from Samba. Now the default behaviour
+will be to deny those request. Two new options have been added to
+manage the list of authorized/denied clients for zone transfer
+requests. In order to be accepted, the request must be issued by a
+client that is in the allow list and NOT in the deny list.
+
"server multi channel support" no longer experimental
-----------------------------------------------------
@@ -81,6 +83,7 @@ have been disabled. The samba-tool domain options, for
example, are limited
when no ad-dc is present. Samba must still be built with ads in order to enable
samba-tool.
+
Improved command line user experience
-------------------------------------
@@ -143,6 +146,7 @@ smbd:
winbindd:
--log-stdout -> --debug-stdout
+
Scanning of trusted domains and enterprise principals
-----------------------------------------------------
@@ -167,6 +171,107 @@ utility. The existing options for the provisioning and
joining steps
are documented in the net(8) manpage.
+samba-tool dns zoneoptions for aging control
+--------------------------------------------
+
+The samba-tool dns zoneoptions command can be used to turn aging on
+and off, alter the refresh and no-refresh periods, and manipulate the
+timestamps of existing records.
+
+To turn aging on for a zone, you can use something like this:
+
+ samba-tool dns zoneoptions --aging=1 --refreshinterval=306600
+
+which turns on aging and ensures no records less than five years old
+are aged out and scavenged. After aging has been on for sufficient
+time for records to be renewed, the command
+
+ samba-tool dns zoneoptions --refreshinterval=168
+
+will set the refresh period to the standard seven days. Using this two
+step process will help prevent the temporary loss of dynamic records
+if scavenging happens before their first renewal.
+
+
+Marking old records as static or dynamic with samba-tool
+--------------------------------------------------------
+
+A bug in Samba versions prior to 4.9 meant records that were meant to
+be static were marked as dynamic and vice versa. To fix the timestamps
+in these domains, it is possible to use the following options,
+preferably before turning aging on.
+
+ --mark-old-records-static
+ --mark-records-dynamic-regex
+ --mark-records-static-regex
+
+The --mark-old-records-static option will make records older than the
+specified date static (that is, with a zero timestamp). For example,
+if you upgraded to Samba 4.9 in November 2018, you could use ensure no
+old records will be mistakenly interpreted as dynamic using the
+following option:
+
+ samba-tool dns zoneoptions --mark-old-records-static=2018-11-30
+
+Then, if you know that that will have marked some records as static
+that should be dynamic, and you know which those are due to your
+naming scheme, you can use commands like:
+
+ samba-tool dns zoneoptions --mark-records-dynamic-regex='\w+-desktop'
+
+where '\w+-desktop' is a perl-compatible regular expression that will
+match 'bob-desktop', 'alice-desktop', and so on.
+
+These options are deliberately long and cumbersome to type, so people
+have a chance to think before they get to the end. You can make a
+mess if you get it wrong.
+
+All samba-tool dns zoneoptions modes can be given a --dry-run/-n
+argument that allows you to inspect the likely results before going
+ahead.
+
+NOTE: for aging to work, you need to have "dns zone scavenging = yes"
+set in the smb.conf of at least one server.
+
+
+DNS tombstones are now deleted as appropriate
+---------------------------------------------
+
+When all the records for a DNS name have been deleted, the node is put
+in a tombstoned state (separate from general AD object tombstoning,
+which deleted nodes also go through). These tombstones should be
+cleaned up periodically. Due to a conflation of scavenging and
+tombstoning, we have only been deleting tombstones when aging is
+enabled.
+
+If you have a lot of tombstoned DNS nodes (that is, DNS names for
+which you have removed all the records), cleaning up these DNS
+tombstones may take a noticeable time.
+
+
+DNS tombstones use a consistent timestamp format
+------------------------------------------------
+
+DNS records use an hours-since-1601 timestamp format except for in the
+case of tombstone records where a 100-nanosecond-intervals-since-1601
+format is used (this latter format being the most common in Windows).
+We had mixed that up, which might have had strange effects in zones
+where aging was enabled (and hence tombstone timestamps were used).
+
+
+samba-tool dns update and RPC changes
+-------------------------------------
+
+The dnsserver DCERPC pipe can be used by samba-tool and Windows tools
+to manipulate dns records on the remote server. A bug in Samba meant
+it was not possible to update an existing DNS record to change the
+TTL. The general behaviour of RPC updates is now closer to that of
+Windows.
+
+samba-tool dns update is now a bit more careful in rejecting and
+warning you about malformed IPv4 and IPv6 addresses.
+
+
REMOVED FEATURES
================
@@ -240,7 +345,8 @@ Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
-joining the #samba-technical IRC channel on irc.freenode.net.
+joining the #samba-technical IRC channel on irc.libera.chat or the
+#samba-technical:matrix.org matrix channel.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
--
Samba Shared Repository
