[SCM] Samba Website Repository - branch master updated
Karolin Seeger
kseeger at samba.org
Thu Sep 21 09:02:49 UTC 2017
The branch, master has been updated
via ca15e80 Add Samba 4.7.0 to the list of releases.
via 4818142 NEWS[4.7.0]: Samba 4.7.0 Available for Download
from e0c0869 Add release notes for Samba 4.5.14 and 4.4.16.
https://git.samba.org/?p=samba-web.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit ca15e80f34e462a3885900949eb2a406a452411a
Author: Karolin Seeger <kseeger at samba.org>
Date: Thu Sep 21 11:02:31 2017 +0200
Add Samba 4.7.0 to the list of releases.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit 481814286ae825c4a617b831ae5813010c29b282
Author: Karolin Seeger <kseeger at samba.org>
Date: Thu Sep 21 08:33:53 2017 +0200
NEWS[4.7.0]: Samba 4.7.0 Available for Download
Signed-off-by: Karolin Seeger <kseeger at samba.org>
-----------------------------------------------------------------------
Summary of changes:
history/header_history.html | 1 +
history/samba-4.7.0.html | 606 ++++++++++++++++++++++++
posted_news/20170921-090136.4.7.0.body.html | 12 +
posted_news/20170921-090136.4.7.0.headline.html | 3 +
4 files changed, 622 insertions(+)
create mode 100644 history/samba-4.7.0.html
create mode 100644 posted_news/20170921-090136.4.7.0.body.html
create mode 100644 posted_news/20170921-090136.4.7.0.headline.html
Changeset truncated at 500 lines:
diff --git a/history/header_history.html b/history/header_history.html
index 995c08a..1956632 100755
--- a/history/header_history.html
+++ b/history/header_history.html
@@ -9,6 +9,7 @@
<li><a href="/samba/history/">Release Notes</a>
<li class="navSub">
<ul>
+ <li><a href="samba-4.7.0.html">samba-4.7.0</a></li>
<li><a href="samba-4.6.8.html">samba-4.6.8</a></li>
<li><a href="samba-4.6.7.html">samba-4.6.7</a></li>
<li><a href="samba-4.6.6.html">samba-4.6.6</a></li>
diff --git a/history/samba-4.7.0.html b/history/samba-4.7.0.html
new file mode 100644
index 0000000..0757fd1
--- /dev/null
+++ b/history/samba-4.7.0.html
@@ -0,0 +1,606 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>Samba 4.7.0 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.7.0 Available for Download</H2>
+<p>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.7.0.tar.gz">Samba 4.7.0 (gzipped)</a><br>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.7.0.tar.asc">Signature</a>
+</p>
+<p>
+<pre>
+ =============================
+ Release Notes for Samba 4.7.0
+ September 20, 2017
+ =============================
+
+
+This is the first stable release of Samba 4.7.
+Please read the release notes carefully before upgrading.
+
+UPGRADING
+=========
+
+'smbclient' changes
+------------------
+
+'smbclient' no longer prints a 'Domain=[...] OS=[Windows 6.1] Server=[...]'
+banner when connecting to the first server. With SMB2 and Kerberos,
+there's no way to print this information reliably. Now we avoid it at all
+consistently. In interactive sessions the following banner is now presented
+to the user: 'Try "help" do get a list of possible commands.'.
+
+The default for "client max protocol" has changed to "SMB3_11",
+which means that 'smbclient' (and related commands) will work against
+servers without SMB1 support.
+
+It's possible to use the '-m/--max-protocol' option to overwrite
+the "client max protocol" option temporarily.
+
+Note that the '-e/--encrypt' option also works with most SMB3 servers
+(e.g. Windows >= 2012 and Samba >= 4.0.0), so the SMB1 unix extensions
+are not required for encryption.
+
+The change to SMB3_11 as default also means 'smbclient' no longer
+negotiates SMB1 unix extensions by default, when talking to a Samba server with
+"unix extensions = yes". As a result, some commands are not available, e.g.
+'posix_encrypt', 'posix_open', 'posix_mkdir', 'posix_rmdir', 'posix_unlink',
+'posix_whoami', 'getfacl' and 'symlink'. Using "-mNT1" reenables them, if the
+server supports SMB1.
+
+Note the default ("CORE") for "client min protocol" hasn't changed,
+so it's still possible to connect to SMB1-only servers by default.
+
+'smbclient' learned a new command 'deltree' that is able to do
+a recursive deletion of a directory tree.
+
+
+NEW FEATURES/CHANGES
+====================
+
+Whole DB read locks: Improved LDAP and replication consistency
+--------------------------------------------------------------
+
+Prior to Samba 4.7 and ldb 1.2.0, the LDB database layer used by Samba
+erroneously did not take whole-DB read locks to protect search
+and DRS replication operations.
+
+While each object returned remained subject to a record-level lock (so
+would remain consistent to itself), under a race condition with a
+rename or delete, it and any links (like the member attribute) to it
+would not be returned.
+
+The symptoms of this issue include:
+
+Replication failures with this error showing in the client side logs:
+ error during DRS repl ADD: No objectClass found in replPropertyMetaData for
+ Failed to commit objects:
+ WERR_GEN_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
+
+A crash of the server, in particular the rpc_server process with
+ INTERNAL ERROR: Signal 11
+
+LDAP read inconsistency
+ A DN subject to a search at the same time as it is being renamed
+ may not appear under either the old or new name, but will re-appear
+ for a subsequent search.
+
+See https://bugzilla.samba.org/show_bug.cgi?id=12858 for more details
+and updated advise on database recovery for affected installations.
+
+Samba AD with MIT Kerberos
+--------------------------
+
+After four years of development, Samba finally supports compiling and
+running Samba AD with MIT Kerberos. You can enable it with:
+
+ ./configure --with-system-mitkrb5
+
+Samba requires version 1.15.1 of MIT Kerberos to build with AD DC support.
+The krb5-devel and krb5-server packages are required.
+The feature set is not on par with the Heimdal build but the most important
+things, like forest and external trusts, are working. Samba uses the KDC binary
+provided by MIT Kerberos.
+
+Missing features, compared to Heimdal, are:
+ * PKINIT support
+ * S4U2SELF/S4U2PROXY support
+ * RODC support (not fully working with Heimdal either)
+
+The Samba AD process will take care of starting the MIT KDC and it will load a
+KDB (Kerberos Database) driver to access the Samba AD database. When
+provisioning an AD DC using 'samba-tool' it will take care of creating a correct
+kdc.conf file for the MIT KDC.
+
+For further details, see:
+https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC
+
+Dynamic RPC port range
+----------------------
+
+The dynamic port range for RPC services has been changed from the old default
+value "1024-1300" to "49152-65535". This port range is not only used by a
+Samba AD DC, but also applies to all other server roles including NT4-style
+domain controllers. The new value has been defined by Microsoft in Windows
+Server 2008 and newer versions. To make it easier for Administrators to control
+those port ranges we use the same default and make it configurable with the
+option: "rpc server dynamic port range".
+
+The "rpc server port" option sets the first available port from the new
+"rpc server dynamic port range" option. The option "rpc server port" only
+applies to Samba provisioned as an AD DC.
+
+Authentication and Authorization audit support
+----------------------------------------------
+
+Detailed authentication and authorization audit information is now
+logged to Samba's debug logs under the "auth_audit" debug class,
+including in particular the client IP address triggering the audit
+line. Additionally, if Samba is compiled against the jansson JSON
+library, a JSON representation is logged under the "auth_json_audit"
+debug class.
+
+Audit support is comprehensive for all authentication and
+authorisation of user accounts in the Samba Active Directory Domain
+Controller, as well as the implicit authentication in password
+changes. In the file server and classic/NT4 domain controller, NTLM
+authentication, SMB and RPC authorization is covered, however password
+changes are not at this stage, and this support is not currently
+backed by a testsuite.
+
+For further details, see:
+https://wiki.samba.org/index.php/Setting_up_Audit_Logging
+
+Multi-process LDAP Server
+-------------------------
+
+The LDAP server in the AD DC now honours the process model used for
+the rest of the 'samba' process, rather than being forced into a single
+process. This aids in Samba's ability to scale to larger numbers of AD
+clients and the AD DC's overall resiliency, but will mean that there is a
+fork()ed child for every LDAP client, which may be more resource
+intensive in some situations. If you run Samba in a
+resource-constrained VM, consider allocating more RAM and swap space.
+
+Improved Read-Only Domain Controller (RODC) Support
+---------------------------------------------------
+
+Support for RODCs in Samba AD until now has been experimental. With this latest
+version, many of the critical bugs have been fixed and the RODC can be used in
+DC environments requiring no writable behaviour. RODCs now correctly support
+bad password lockouts and password disclosure auditing through the
+msDS-RevealedUsers attribute.
+
+The fixes made to the RWDC will also allow Windows RODC to function more
+correctly and to avoid strange data omissions such as failures to replicate
+groups or updated passwords. Password changes are currently rejected at the
+RODC, although referrals should be given over LDAP. While any bad passwords can
+trigger domain-wide lockout, good passwords which have not been replicated yet
+for a password change can only be used via NTLM on the RODC (and not Kerberos).
+
+The reliability of RODCs locating a writable partner still requires some
+improvements and so the 'password server' configuration option is generally
+recommended on the RODC.
+
+Samba 4.7 is the first Samba release to be secure as an RODC or when
+hosting an RODC. If you have been using earlier Samba versions to
+host or be an RODC, please upgrade.
+
+In particular see https://bugzilla.samba.org/show_bug.cgi?id=12977 for
+details on the security implications for password disclosure to an
+RODC using earlier versions.
+
+Additional password hashes stored in supplementalCredentials
+------------------------------------------------------------
+
+A new config option 'password hash userPassword schemes' has been added to
+enable generation of SHA-256 and SHA-512 hashes (without storing the plaintext
+password with reversible encryption). This builds upon previous work to improve
+password sync for the AD DC (originally using GPG).
+
+The user command of 'samba-tool' has been updated in order to be able to
+extract these additional hashes, as well as extracting the (HTTP) WDigest
+hashes that we had also been storing in supplementalCredentials.
+
+Improvements to DNS during Active Directory domain join
+-------------------------------------------------------
+
+The 'samba-tool' domain join command will now add the A and GUID DNS records
+(on both the local and remote servers) during a join if possible via RPC. This
+should allow replication to proceed more smoothly post-join.
+
+The mname element of the SOA record will now also be dynamically generated to
+point to the local read-write server. 'samba_dnsupdate' should now be more
+reliable as it will now find the appropriate name server even when resolv.conf
+points to a forwarder.
+
+Significant AD performance and replication improvements
+-------------------------------------------------------
+
+Previously, replication of group memberships was been an incredibly expensive
+process for the AD DC. This was mostly due to unnecessary CPU time being spent
+parsing member linked attributes. The database now stores these linked
+attributes in sorted form to perform efficient searches for existing members.
+In domains with a large number of group memberships, a join can now be
+completed in half the time compared with Samba 4.6.
+
+LDAP search performance has also improved, particularly in the unindexed search
+case. Parsing and processing of security descriptors should now be more
+efficient, improving replication but also overall performance.
+
+Query record for open file or directory
+---------------------------------------
+
+The record attached to an open file or directory in Samba can be
+queried through the 'net tdb locking' command. In clustered Samba this
+can be useful to determine the file or directory triggering
+corresponding "hot" record warnings in ctdb.
+
+Removal of lpcfg_register_defaults_hook()
+-----------------------------------------
+
+The undocumented and unsupported function lpcfg_register_defaults_hook()
+that was used by external projects to call into Samba and modify
+smb.conf default parameter settings has been removed. If your project
+was using this call please raise the issue on
+samba-technical at lists.samba.org in order to design a supported
+way of obtaining the same functionality.
+
+Change of loadable module interface
+-----------------------------------
+
+The _init function of all loadable modules in Samba has changed
+from:
+
+NTSTATUS _init(void);
+
+to:
+
+NTSTATUS _init(TALLOC_CTX *);
+
+This allows a program loading a module to pass in a long-lived
+talloc context (which must be guaranteed to be alive for the
+lifetime of the module). This allows modules to avoid use of
+the talloc_autofree_context() (which is inherently thread-unsafe)
+and still be valgrind-clean on exit. Modules that don't need to
+free long-lived data on exit should use the NULL talloc context.
+
+SHA256 LDAPS Certificates
+-------------------------
+
+The self-signed certificate generated for use on LDAPS will now be
+generated with a SHA256 self-signature, not a SHA1 self-signature.
+
+Replacing this certificate with a certificate signed by a trusted
+CA is still highly recommended.
+
+CTDB changes
+------------
+
+* CTDB no longer allows mixed minor versions in a cluster
+
+ See the AllowMixedVersions tunable option in ctdb-tunables(7) and also
+ https://wiki.samba.org/index.php/Upgrading_a_CTDB_cluster#Policy
+
+* CTDB now ignores hints from Samba about TDB flags when attaching to databases
+
+ CTDB will use the correct flags depending on the type of database.
+ For clustered databases, the smb.conf setting
+ dbwrap_tdb_mutexes:*=true will be ignored. Instead, CTDB continues
+ to use the TDBMutexEnabled tunable.
+
+* New configuration variable CTDB_NFS_CHECKS_DIR
+
+ See ctdbd.conf(5) for more details.
+
+* The CTDB_SERVICE_AUTOSTARTSTOP configuration variable has been
+ removed
+
+ To continue to manage/unmanage services while CTDB is running:
+
+ - Start service by hand and then flag it as managed
+
+ - Mark service as unmanaged and shut it down by hand
+
+ - In some cases CTDB does something fancy - e.g. start Samba under
+ "nice", so care is needed. One technique is to disable the
+ eventscript, mark as managed, run the startup event by hand and then
+ re-enable the eventscript.
+
+* The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed
+
+* The example NFS Ganesha call-out has been improved
+
+* A new "replicated" database type is available
+
+ Replicated databases are intended for CTDB's internal use to
+ replicate state data across the cluster, but may find other
+ uses. The data in replicated databases is valid for the lifetime of
+ CTDB and cleared on first attach.
+
+Using x86_64 Accelerated AES Crypto Instructions
+------------------------------------------------
+
+Samba on x86_64 can now be configured to use the Intel accelerated AES
+instruction set, which has the potential to make SMB3 signing and
+encryption much faster on client and server. To enable this, configure
+Samba using the new option --accel-aes=intelaesni.
+
+This is a temporary solution that is being included to allow users
+to enjoy the benefits of Intel accelerated AES on the x86_64 platform,
+but the longer-term solution will be to move Samba to a fully supported
+external crypto library.
+
+The third_party/aesni-intel code will be removed from Samba as soon as
+external crypto library performance reaches parity.
+
+The default is to build without setting --accel-aes, which uses the
+existing Samba software AES implementation.
+
+Parameter changes
+-----------------
+
+The "strict sync" global parameter has been changed from
+a default of "no" to "yes". This means smbd will by default
+obey client requests to synchronize unwritten data in operating
+system buffers safely onto disk. This is a safer default setting
+for modern SMB1/2/3 clients.
+
+The 'ntlm auth' option default is renamed to 'ntlmv2-only', reflecting
+the previous behaviour. Two new values have been provided,
+'mschapv2-and-ntlmv2-only' (allowing MSCHAPv2 while denying NTLMv1)
+and 'disabled', totally disabling NTLM authentication and password
+changes.
+
+smb.conf changes
+================
+
+ Parameter Name Description Default
+ -------------- ----------- -------
+ allow unsafe cluster upgrade New parameter no
+ auth event notification New parameter no
+ auth methods Deprecated
+ client max protocol Effective SMB3_11
+ default changed
+ map untrusted to domain New value/ auto
+ Default changed/
+ Deprecated
+ mit kdc command New parameter
+ profile acls Deprecated
+ rpc server dynamic port range New parameter 49152-65535
+ strict sync Default changed yes
+ password hash userPassword schemes New parameter
+ ntlm auth New values ntlmv2-only
+
+
+KNOWN ISSUES
+============
+
+https://wiki.samba.org/inFdex.php/Release_Planning_for_Samba_4.7#Release_blocking_bugs
+
+
+CHANGES SINCE 4.7.0rc6
+======================
+
+o CVE-2017-12150:
+ A man in the middle attack may hijack client connections.
+
+o CVE-2017-12151:
+ A man in the middle attack can read and may alter confidential
+ documents transferred via a client connection, which are reached
+ via DFS redirect when the original connection used SMB3.
+
+o CVE-2017-12163:
+ Client with write access to a share can cause server memory contents to be
+ written into a file or printer.
+
+
+CHANGES SINCE 4.7.0rc5
+======================
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 13003: s3: vfs: catia: compression get/set must act only on base file, and
+ must cope with fsp==NULL.
+ * BUG 13008: lib: crypto: Make smbd use the Intel AES instruction set for signing
+ and encryption.
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 12946: s4-drsuapi: Avoid segfault when replicating as a non-admin with
+ GUID_DRS_GET_CHANGES.
+ * BUG 13015: Allow re-index of newer databases with binary GUID TDB keys
+ (this officially removes support for re-index of the original pack format 0,
+ rather than simply segfaulting).
+ * BUG 13017: Add ldb_ldif_message_redacted_string() to allow debug of redacted
+ log messages, avoiding showing secret values.
+ * BUG 13023: ldb: version 1.2.2.
+ * BUG 13025: schema: Rework dsdb_schema_set_indices_and_attributes() db
+ operations.
+
+o Alexander Bokovoy <ab at samba.org>
+ * BUG 13030: Install dcerpc/__init__.py for all Python environments.
+
+o Ralph Boehme <slow at samba.org>
+ * BUG 13024: s3/smbd: Sticky write time offset miscalculation causes broken
+ timestamps
+ * BUG 13037: lib/util: Only close the event_fd in tfork if the caller didn't
+ call tfork_event_fd().
+
+o Volker Lendecke <vl at samba.org>
+ * BUG 13006: messaging: Avoid a socket leak after fork.
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 13018: charset: Fix str[n]casecmp_m() by comparing lower case values.
+
+o Gary Lockyer <gary at catalyst.net.nz>
+ * BUG 13037: util_runcmd: Free the fde in event handler.
+
+o Amitay Isaacs <amitay at gmail.com>
+ * BUG 13012: ctdb-daemon: Fix implementation of process_exists control.
+ * BUG 13021: GET_DB_SEQNUM control can cause ctdb to deadlock when databases
+ are frozen.
+ * BUG 13029: ctdb-daemon: Free up record data if a call request is deferred.
+ * BUG 13036: ctdb-client: Initialize ctdb_ltdb_header completely for empty
+ record.
+
+o Christof Schmitt <cs at samba.org>
+ * BUG 13032: vfs_streams_xattr: Fix segfault when running with log level 10.
+
+
+CHANGES SINCE 4.7.0rc4
+======================
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 12929: smb.conf: Explain that "ntlm auth" is a per-passdb setting.
+ * BUG 12953: s4/lib/tls: Use SHA256 to sign the TLS certificates.
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 12932: Get rid of talloc_autofree_context().
+
+o Amitay Isaacs <amitay at gmail.com>
+ * BUG 12978: After restarting CTDB, it attaches replicated databases with
+ wrong flags.
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 12863: s3:smbclient: Don't try any workgroup listing with
+ "client min protocol = SMB2".
+ * BUG 12876: s3:libsmb: Don't call cli_NetServerEnum() on SMB2/3 connections
+ in SMBC_opendir_ctx().
+ * BUG 12881: s3:libsmb: Let do_connect() debug the negotiation result
+ similar to "session request ok".
+ * BUG 12919: s4:http/gensec: add missing tevent_req_done() to
+ gensec_http_ntlm_update_done().
+ * BUG 12968: Fix 'smbclient tarmode' with SMB2/3.
+ * BUG 12973: 'smbd': Don't use a lot of CPU on startup of a connection.
+
+o Christof Schmitt <cs at samba.org>
+ * BUG 12983: vfs_default: Fix passing of errno from async calls.
+
+o Andreas Schneider <asn at samba.org>
+ * BUG 12629: s3:utils: Do not report an invalid range for AD DC role.
--
Samba Website Repository
More information about the samba-cvs
mailing list