[SCM] Samba Shared Repository - branch master updated

Stefan Metzmacher metze at samba.org
Tue Aug 23 14:03:04 UTC 2016

The branch, master has been updated
       via  77fae5b WHATSNEW: clear the sections for 4.6
      from  bad738c messaging_dgm: Fix signed/unsigned hickups


- Log -----------------------------------------------------------------
commit 77fae5bcd2da9e920acab0284c90813dda6ad794
Author: Stefan Metzmacher <metze at samba.org>
Date:   Sun Aug 21 14:37:29 2016 +0200

    WHATSNEW: clear the sections for 4.6
    The 4.5.x WHATSNEW.txt is maintained in v4-5-test.
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
    Autobuild-Date(master): Tue Aug 23 16:02:09 CEST 2016 on sn-devel-144


Summary of changes:
 WHATSNEW.txt | 310 +----------------------------------------------------------
 1 file changed, 2 insertions(+), 308 deletions(-)

Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 25da528..6b96cae 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,337 +1,31 @@
 Release Announcements
-This is the first preview release of Samba 4.5.  This is *not*
+This is the first preview release of Samba 4.6.  This is *not*
 intended for production environments and is designed for testing
 purposes only.  Please report any defects via the Samba bug reporting
 system at https://bugzilla.samba.org/.
-Samba 4.5 will be the next version of the Samba suite.
+Samba 4.6 will be the next version of the Samba suite.
-NTLMv1 authentication disabled by default
-In order to improve security we have changed
-the default value for the "ntlm auth" option from
-"yes" to "no". This may have impact on very old
-client which doesn't support NTLMv2 yet.
-The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.
-By default Samba will only allow NTLMv2 via NTLMSSP now,
-as we have the following default "lanman auth = no",
-"ntlm auth = no" and "raw NTLMv2 auth = no".
-The ldap server has support for the LDAP_SERVER_NOTIFICATION_OID
-control. This can be used to monitor the active directory database
-for changes.
-KCC improvements for sparse network replication
-The Samba KCC will now be the default knowledge consistency checker in
-Samba AD. Instead of using full mesh replication between every DC, the
-KCC will set up connections to optimize replication latency and cost
-(using site links to calculate the routes). This change should allow
-larger domains to function significantly better in terms of replication
-traffic and the time spent performing DRS replication.
-VLV - Virtual List View
-The VLV Control allows applications to page the LDAP directory in the
-way you might expect a live phone book application to operate, without
-first downloading the entire directory.
-DRS Replication for the AD DC
-DRS Replication in Samba 4.5 is now much more efficient in handling
-linked attributes, particularly in large domains with over 1000 group
-memberships or other links.
-Replication is also much more reliable in the handling of tree
-renames, such as the rename of an organizational unit containing many
-users.  Extensive tests have been added to ensure this code remains
-reliable, particularly in the case of conflicts between objects added
-with the same name on different servers.
-Schema updates are also handled much more reliably.
-samba-tool drs replicate with new options
-samba-tool drs replicate got two new options:
-The option '--local-online' will do the DsReplicaSync() via IRPC
-to the local dreplsrv service.
-The option '--async-op' will add DRSUAPI_DRS_ASYNC_OP to the
-DsReplicaSync(), which won't wait for the replication result.
-replPropertyMetaData Changes
-During the development of the DRS replication, tests showed that Samba
-stores the replPropertyMetaData object incorrectly.  To address this,
-be aware that dbcheck will now detect and offer to fix all objects in
-the domain for this error.
-Linked attributes on deleted objects
-In Active Directory, an object that has been tombstoned or recycled
-has no linked attributes.  However, Samba incorrectly maintained such
-links, slowing replication and run-time performance.  dbcheck now
-offers to remove such links, and they are no longer kept after the
-object is tombstoned or recycled.
-Improved AD DC performance
-Many other improvements have been made to our LDAP database layer in
-the AD DC, to improve performance, both during samba-tool domain
-provision and at runtime.
-Other dbcheck improvements
- - samba-tool dbcheck can now find and fix a missing or corrupted
-   'deleted objects' container.
- - BUG 11433: samba-dbcheck no longer offers to resort auxiliary class values
-   in objectClass as these were then re-sorted at the next dbcheck indefinitely.
-Tombstone Reanimation
-Samba now supports tombstone reanimation, a feature in the AD DC
-allowing tombstones, that is objects which have been deleted, to be
-restored with the original SID and GUID still in place.
-Multiple DNS Forwarders on the AD DC
-Multiple DNS forwarders are now supported on the AD DC, allowing
-samba to fall back between two different DNS servers for forwarded queries.
-Password quality plugin support in the AD DC
-The check password script now operates correctly in the AD DC (this
-was silently ignored in past releases)
-pwdLastSet is now correctly honoured
-BUG 9654: the pwdLastSet attribute is now correctly handled (this previously
-permitted passwords that next expire).
-net ads dns unregister
-It is now possible to remove the DNS entries created with 'net ads register'
-with the matching 'net ads unregister' command.
-Samba-tool improvements
-Running samba-tool on the command line should now be a lot snappier. The tool
-now only loads the code specific to the subcommand that you wish to run.
-SMB 2.1 Leases enabled by default
-Leasing is an SMB 2.1 (and higher) feature which allows clients to
-aggressively cache files locally above and beyond the caching allowed
-by SMB 1 oplocks. This feature was disabled in previous releases, but
-the SMB2 leasing code is now considered mature and stable enough to be
-enabled by default.
-Open File Description (OFD) Locks
-On systems that support them (currently only Linux), the fileserver now
-uses Open File Description (OFD) locks instead of POSIX locks to implement
-client byte range locks. As these locks are associated with a specific
-file descriptor on a file this allows more efficient use when multiple
-descriptors having file locks are opened onto the same file. An internal
-tunable "smbd:force process locks = true" may be used to turn off OFD
-locks if there appear to be problems with them.
-Password sync as active directory domain controller
-The new commands 'samba-tool user getpassword'
-and 'samba-tool user syncpasswords' provide
-access and syncing of various password fields.
-If compiled with GPGME support (--with-gpgme) it's
-possible to store cleartext passwords in a PGP/OpenGPG
-encrypted form by configuring the new "password hash gpg key ids"
-option. This requires gpgme devel and python packages to be installed
-(e.g. libgpgme11-dev and python-gpgme on debian/ubuntu).
-Python crypto requirements
-Some samba-tool subcommands require python-crypto and/or
-python-m2crypto packages to be installed.
-SmartCard/PKINIT improvements
-"samba-tool user create" accepts --smartcard-required
-and "samba-tool user setpassword" accepts --smartcard-required
-and --clear-smartcard-required.
-Specifying --smartcard-required results in the UF_SMARTCARD_REQUIRED
-flags being set in the userAccountControl attribute.
-At the same time the account password is reset to a random
-NTHASH value.
-Interactive password logons are rejected, if the UF_SMARTCARD_REQUIRED
-bit is set in the userAccountControl attribute of a user.
-When doing a PKINIT based kerberos logon the KDC adds the
-required PAC_CREDENTIAL_INFO element to the authorization data.
-That means the NTHASH is shared between the PKINIT based client and
-the domain controller, which allows the client to do NTLM based
-authentication on behalf of the user. It also allows on offline
-logon using a smartcard to work on Windows clients.
-CTDB changes
-* New improved ctdb tool
-  ctdb tool has been completely rewritten using new client API.
-  Usage messages are much improved.
-* Sample CTDB configuration file is installed as ctdbd.conf.
-* The use of real-time scheduling when taking locks has been narrowed
-  to limit potential performance impacts on nodes
-* CTDB_RECOVERY_LOCK now supports specification of an external helper
-  to take and hold the recovery lock
-  See the RECOVERY LOCK section in ctdb(7) for details.  Documentation
-  for writing helpers is provided in doc/cluster_mutex_helper.txt.
-* "ctdb natgwlist" has been replaced by a top level "ctdb natgw"
-  command that has "master", "list" and "status" subcommands
-* The onnode command no longer supports the "recmaster", "lvs" and
-  "natgw" node specifications
-* Faster resetting of TCP connections to public IP addresses during
-  failover
-* Tunables MaxRedirectCount, ReclockPingPeriod,
-  DeferredRebalanceOnNodeAdd are now obsolete/ignored
-* "ctdb listvars" now lists all variables, including the first one
-* "ctdb xpnn", "ctdb rebalanceip" and "ctdb rebalancenode" have been
-  removed
-  These are not needed because "ctdb reloadips" should do the correct
-  rebalancing.
-* Output for the following commands has been simplified:
-    ctdb getdbseqnum
-    ctdb getdebug
-    ctdb getmonmode
-    ctdb getpid
-    ctdb getreclock
-    ctdb getpid
-    ctdb pnn
-  These now simply print the requested output with no preamble.  This
-  means that scripts no longer need to strip part of the output.
-  "ctdb getreclock" now prints nothing when the recovery lock is not
-  set.
-* Output for the following commands has been improved:
-  ctdb setdebug
-  ctdb uptime
-* "ctdb process-exists" has been updated to only take a PID argument
-  The PNN can be specified with -n <PNN>.  Output also cleaned up.
-* LVS support has been reworked - related commands and configuration
-  variables have changed
-  "ctdb lvsmaster" and "ctdb lvs" have been replaced by a top level
-  "ctdb lvs" command that has "master", "list" and "status"
-  subcommands.
-  See the LVS sections in ctdb(7) and ctdbd.conf(5) for details,
-  including configuration changes.
-* Improved sample NFS Ganesha call-out
-New shadow_copy2 options
-  With growing number of snapshots file-systems need some mechanism to
-  differentiate one set of snapshots from other, e.g. monthly, weekly, manual,
-  special events, etc. Therefore these file-systems provide different ways to tag
-  snapshots, e.g. provide a configurable way to name snapshots, which is not just
-  based on time.  With only shadow:format it is very difficult to filter these
-  snapshots. With this optional parameter, one can specify a variable prefix
-  component for names of the snapshot directories in the file-system. If this
-  parameter is set, together with the shadow:format and shadow:delimiter
-  parameters it determines the possible names of snapshot directories in the
-  file-system. The option only supports Basic Regular Expression (BRE).
-  This optional parameter is used as a delimiter between shadow:snapprefix and
-  shadow:format This parameter is used only when shadow:snapprefix is set.
-  Default: shadow:delimiter = "_GMT"
-only user and username parameters
-These two parameters have long been deprecated and superseded by
-"valid users" and "invalid users".
 smb.conf changes
   Parameter Name                Description             Default
   --------------                -----------             -------
-  kccsrv:samba_kcc              Changed default         yes
-  ntlm auth                     Changed default         no
-  only user                     Removed
-  password hash gpg key ids     New
-  shadow:snapprefix             New
-  shadow:delimiter              New                     _GMT
-  smb2 leases                   Changed default         yes
-  username                      Removed

Samba Shared Repository

More information about the samba-cvs mailing list