[SCM] Samba Shared Repository - branch v4-7-test updated

Karolin Seeger kseeger at samba.org
Wed Sep 6 12:22:04 UTC 2017


The branch, v4-7-test has been updated
       via  4cc6517 WHATSNEW: We generate SHA265 certificates now
       via  2ab073a WHATSNEW: warn against using the RODC on older Samba versions
       via  4dfa810 WHATSNEW: explain that we may use much more RAM and SWAP with multi-process LDAP
       via  d6a9f6b WHATSNEW: fix spelling
      from  eb299c6 s4-drsuapi: Avoid segfault when replicating as a non-admin with GUID_DRS_GET_CHANGES

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test


- Log -----------------------------------------------------------------
commit 4cc6517a170f075a14375d64c56d7690c93a1e29
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Aug 28 21:37:16 2017 +1200

    WHATSNEW: We generate SHA265 certificates now
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    
    Autobuild-User(v4-7-test): Karolin Seeger <kseeger at samba.org>
    Autobuild-Date(v4-7-test): Wed Sep  6 14:21:15 CEST 2017 on sn-devel-144

commit 2ab073a1ab9fa76337ca01e7dbc050795ec439ce
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Aug 28 21:36:14 2017 +1200

    WHATSNEW: warn against using the RODC on older Samba versions
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>

commit 4dfa810ed569406387bbb4abd636ab3c7543c8f9
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Aug 28 21:35:56 2017 +1200

    WHATSNEW: explain that we may use much more RAM and SWAP with multi-process LDAP
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>

commit d6a9f6be321f7f2489df934dc57362f09b5f3863
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Aug 28 21:35:34 2017 +1200

    WHATSNEW: fix spelling
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 WHATSNEW.txt | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index c58c297..8ba321f 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -53,7 +53,7 @@ Whole DB read locks: Improved LDAP and replication consistency
 --------------------------------------------------------------
 
 Prior to Samba 4.7 and ldb 1.2.0, the LDB database layer used by Samba
-erronously did not take whole-DB read locks to protect search
+erroneously did not take whole-DB read locks to protect search
 and DRS replication operations.
 
 While each object returned remained subject to a record-level lock (so
@@ -150,7 +150,8 @@ the rest of the 'samba' process, rather than being forced into a single
 process.  This aids in Samba's ability to scale to larger numbers of AD
 clients and the AD DC's overall resiliency, but will mean that there is a
 fork()ed child for every LDAP client, which may be more resource
-intensive in some situations.
+intensive in some situations.  If you run Samba in a
+resource-constrained VM, consider allocating more RAM and swap space.
 
 Improved Read-Only Domain Controller (RODC) Support
 ---------------------------------------------------
@@ -172,6 +173,14 @@ The reliability of RODCs locating a writable partner still requires some
 improvements and so the 'password server' configuration option is generally
 recommended on the RODC.
 
+Samba 4.7 is the first Samba release to be secure as an RODC or when
+hosting an RODC.  If you have been using earlier Samba versions to
+host or be an RODC, please upgrade.
+
+In particular see https://bugzilla.samba.org/show_bug.cgi?id=12977 for
+details on the security implications for password disclosure to an
+RODC using earlier versions.
+
 Additional password hashes stored in supplementalCredentials
 ------------------------------------------------------------
 
@@ -247,6 +256,15 @@ the talloc_autofree_context() (which is inherently thread-unsafe)
 and still be valgrind-clean on exit. Modules that don't need to
 free long-lived data on exit should use the NULL talloc context.
 
+SHA256 LDAPS Certificates
+-------------------------
+
+The self-signed certificate generated for use on LDAPS will now be
+generated with a SHA256 self-signature, not a SHA1 self-signature.
+
+Replacing this certificate with a certificate signed by a trusted
+CA is still highly recommended.
+
 CTDB changes
 ------------
 


-- 
Samba Shared Repository



More information about the samba-cvs mailing list