[SCM] Samba Website Repository - branch master updated
Karolin Seeger
kseeger at samba.org
Thu Sep 13 09:56:47 UTC 2018
The branch, master has been updated
via 08b7a83 Add Samba 4.9.0.
via 3586353 NEWS[4.9.0]: Samba 4.9.0 Available for Download
from e19bd94 NEWS[4.9.0rc5]: Samba 4.9.0rc5 Available for Download
https://git.samba.org/?p=samba-web.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 08b7a836334b6c1a60fb326d0ccee07b58338639
Author: Karolin Seeger <kseeger at samba.org>
Date: Thu Sep 13 11:56:32 2018 +0200
Add Samba 4.9.0.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit 35863537ccd77f78c84f17d88c8f1ef2510d2727
Author: Karolin Seeger <kseeger at samba.org>
Date: Thu Sep 13 11:54:58 2018 +0200
NEWS[4.9.0]: Samba 4.9.0 Available for Download
Signed-off-by: Karolin Seeger <kseeger at samba.org>
-----------------------------------------------------------------------
Summary of changes:
history/header_history.html | 1 +
history/samba-4.9.0.html | 716 ++++++++++++++++++++++++
posted_news/20180913-095552.4.9.0.body.html | 12 +
posted_news/20180913-095552.4.9.0.headline.html | 3 +
4 files changed, 732 insertions(+)
create mode 100644 history/samba-4.9.0.html
create mode 100644 posted_news/20180913-095552.4.9.0.body.html
create mode 100644 posted_news/20180913-095552.4.9.0.headline.html
Changeset truncated at 500 lines:
diff --git a/history/header_history.html b/history/header_history.html
index 67350ec..33c30fe 100755
--- a/history/header_history.html
+++ b/history/header_history.html
@@ -9,6 +9,7 @@
<li><a href="/samba/history/">Release Notes</a>
<li class="navSub">
<ul>
+ <li><a href="samba-4.9.0.html">samba-4.9.0</a></li>
<li><a href="samba-4.8.5.html">samba-4.8.5</a></li>
<li><a href="samba-4.8.4.html">samba-4.8.4</a></li>
<li><a href="samba-4.8.3.html">samba-4.8.3</a></li>
diff --git a/history/samba-4.9.0.html b/history/samba-4.9.0.html
new file mode 100644
index 0000000..88270e0
--- /dev/null
+++ b/history/samba-4.9.0.html
@@ -0,0 +1,716 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>Samba 4.9.0 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.9.0 Available for Download</H2>
+<p>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.9.0.tar.gz">Samba 4.9.0 (gzipped)</a><br>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.9.0.tar.asc">Signature</a>
+</p>
+<p>
+<pre>
+ =============================
+ Release Notes for Samba 4.9.0
+ September 13, 2018
+ =============================
+
+
+This is the first stable release of the Samba 4.9 release series.
+Please read the release notes carefully before upgrading.
+
+
+NEW FEATURES/CHANGES
+====================
+
+'net ads setspn'
+----------------
+
+There is a new 'net ads setspn' sub command for managing Windows SPN(s)
+on the AD. This command aims to give the basic functionality that is
+provided on windows by 'setspn.exe' e.g. ability to add, delete and list
+Windows SPN(s) stored in a Windows AD Computer object.
+
+The format of the command is:
+
+net ads setspn list [machine]
+net ads setspn [add | delete ] SPN [machine]
+
+'machine' is the name of the computer account on the AD that is to be managed.
+If 'machine' is not specified the name of the 'client' running the command
+is used instead.
+
+The format of a Windows SPN is
+ 'serviceclass/host:port/servicename' (servicename and port are optional)
+
+serviceclass/host is generally sufficient to specify a host based service.
+
+'net ads keytab' changes
+------------------------
+
+net ads keytab add no longer attempts to convert the passed serviceclass
+(e.g. nfs, html etc.) into a Windows SPN which is added to the Windows AD
+computer object. By default just the keytab file is modified.
+
+A new keytab subcommand 'add_update_ads' has been added to preserve the
+legacy behaviour. However the new 'net ads setspn add' subcommand should
+really be used instead.
+
+net ads keytab create no longer tries to generate SPN(s) from existing
+entries in a keytab file. If it is required to add Windows SPN(s) then
+'net ads setspn add' should be used instead.
+
+Local authorization plugin for MIT Kerberos
+-------------------------------------------
+
+This plugin controls the relationship between Kerberos principals and AD
+accounts through winbind. The module receives the Kerberos principal and the
+local account name as inputs and can then check if they match. This can resolve
+issues with canonicalized names returned by Kerberos within AD. If the user
+tries to log in as 'alice', but the samAccountName is set to ALICE (uppercase),
+Kerberos would return ALICE as the username. Kerberos would not be able to map
+'alice' to 'ALICE' in this case and auth would fail. With this plugin, account
+names can be correctly mapped. This only applies to GSSAPI authentication,
+not for getting the initial ticket granting ticket.
+
+VFS audit modules
+-----------------
+
+The vfs_full_audit module has changed its default set of monitored successful
+and failed operations from "all" to "none". That helps to prevent potential
+denial of service caused by simple addition of the module to the VFS objects.
+
+Also, modules vfs_audit, vfs_ext_audit and vfs_full_audit now accept any valid
+syslog(3) facility, in accordance with the manual page.
+
+Database audit support
+----------------------
+
+Changes to the Samba AD's sam.ldb database are now logged to Samba's debug log
+under the "dsdb_audit" debug class and "dsdb_json_audit" for JSON formatted log
+entries.
+
+Transaction commits and roll backs are now logged to Samba's debug logs under
+the "dsdb_transaction_audit" debug class and "dsdb_transaction_json_audit" for
+JSON formatted log entries.
+
+Password change audit support
+-----------------------------
+
+Password changes in the AD DC are now logged to Samba's debug logs under the
+"dsdb_password_audit" debug class and "dsdb_password_json_audit" for JSON
+formatted log entries.
+
+Group membership change audit support
+-------------------------------------
+
+Group membership changes on the AD DC are now logged to
+Samba's debug log under the "dsdb_group_audit" debug class and
+"dsdb_group_json_audit" for JSON formatted log entries.
+
+Log Authentication duration
+---------------------------
+
+For NTLM and Kerberos KDC authentication, the authentication duration is now
+logged. Note that the duration is only included in the JSON formatted log
+entries.
+
+JSON library Jansson required for the AD DC
+-------------------------------------------
+
+By default, the Jansson JSON library is required for Samba to build.
+It is strictly required for the Samba AD DC, and is optional for
+builds "--without-ad-dc" by specifying "--without-json-audit" at configure
+time.
+
+New experimental LMDB LDB backend
+---------------------------------
+
+A new experimental LDB backend using LMDB is now available. This allows
+databases larger than 4Gb (Currently the limit is set to 6Gb, but this will be
+increased in a future release). To enable lmdb, provision or join a domain using
+the "--backend-store=mdb" option.
+
+This requires that a version of lmdb greater than 0.9.16 is installed and that
+samba has not been built with the "--without-ldb-lmdb" option.
+
+Please note this is an experimental feature and is not recommended for
+production deployments.
+
+Password Settings Objects
+-------------------------
+
+Support has been added for Password Settings Objects (PSOs). This AD feature is
+also known as Fine-Grained Password Policies (FGPP).
+
+PSOs allow AD administrators to override the domain password policy settings
+for specific users, or groups of users. For example, PSOs can force certain
+users to have longer password lengths, or relax the complexity constraints for
+other users, and so on. PSOs can be applied to groups or to individual users.
+When multiple PSOs apply to the same user, essentially the PSO with the best
+precedence takes effect.
+
+PSOs can be configured and applied to users/groups using the 'samba-tool domain
+passwordsettings pso' set of commands.
+
+Domain backup and restore
+-------------------------
+
+A new 'samba-tool' subcommand has been added that allows administrators to
+create a backup-file of their domain DB. In the event of a catastrophic failure
+of the domain, this backup-file can be used to restore Samba services.
+
+The new 'samba-tool domain backup online' command takes a snapshot of the
+domain DB from a given DC. In the event of a catastrophic DB failure, all DCs
+in the domain should be taken offline, and the backup-file can then be used to
+recreate a fresh new DC, using the 'samba-tool domain backup restore' command.
+Once the backed-up domain DB has been restored on the new DC, other DCs can
+then subsequently be joined to the new DC, in order to repopulate the Samba
+network.
+
+Domain rename tool
+------------------
+
+Basic support has been added for renaming a Samba domain. The rename feature is
+designed for the following cases:
+1). Running a temporary alternate domain, in the event of a catastrophic
+failure of the regular domain. Using a completely different domain name and
+realm means that the original domain and the renamed domain can both run at the
+same time, without interfering with each other. This is an advantage over
+creating a regular 'online' backup - it means the renamed/alternate domain can
+provide core Samba network services, while trouble-shooting the fault on the
+original domain can be done in parallel.
+2). Creating a realistic lab domain or pre-production domain for testing.
+
+Note that the renamed tool is currently not intended to support a long-term
+rename of the production domain. Currently renaming the GPOs is not supported
+and would need to be done manually.
+
+The domain rename is done in two steps: first, the 'samba-tool domain backup
+rename' command will clone the domain DB, renaming it in the process, and
+producing a backup-file. Then, the 'samba-tool domain backup restore' command
+takes the backup-file and restores the renamed DB to disk on a fresh DC.
+
+New samba-tool options for diagnosing DRS replication issues
+------------------------------------------------------------
+
+The 'samba-tool drs showrepl' command has two new options controlling
+the output. With --summary, the command says very little when DRS
+replication is working well. With --json, JSON is produced. These
+options are intended for human and machine audiences, respectively.
+
+The 'samba-tool visualize uptodateness' visualizes replication lag as
+a heat-map matrix based on the DRS uptodateness vectors. This will
+show you if (but not why) changes are failing to replicate to some DCs.
+
+Automatic site coverage and GetDCName improvements
+--------------------------------------------------
+
+Samba's AD DC now automatically claims otherwise empty sites based on
+which DC is the nearest in the replication topology.
+
+This, combined with efforts to correctly identify the client side in
+the GetDCName Netlogon call will improve service to sites without a
+local DC.
+
+Improved 'samba-tool computer' command
+--------------------------------------
+
+The 'samba-tool computer' command allow manipulation of computer
+accounts including creating a new computer and resetting the password.
+This allows an 'offline join' of a member server or workstation to the
+Samba AD domain.
+
+New 'samba-tool ou' command
+---------------------------
+
+The new 'samba-tool ou' command allows to manage organizational units.
+
+Available subcommands are:
+ create - Create an organizational unit.
+ delete - Delete an organizational unit.
+ list - List all organizational units
+ listobjects - List all objects in an organizational unit.
+ move - Move an organizational unit.
+ rename - Rename an organizational unit.
+
+In addition to the ou commands, there are new subcommands for the user
+and group management, which can make use of the organizational units:
+ group move - Move a group to an organizational unit/container.
+ user move - Move a user to an organizational unit/container.
+ user show - Display a user AD object.
+
+Samba performance tool now operates against Microsoft Windows AD
+----------------------------------------------------------------
+
+The Samba AD performance testing tool 'traffic_reply' can now operate
+against a Windows based AD domain. Previously it only operated
+correctly against Samba.
+
+DNS entries are now cleaned up during DC demote
+-----------------------------------------------
+
+DNS records are now cleaned up as part of the 'samba-tool domain
+demote' including both the default and '--remove-other-dead-server'
+modes.
+
+Additionally, DNS records can be automatically cleaned up for a given
+name with the 'samba-tool dns cleanup' command, which aids in cleaning
+up partially removed DCs.
+
+samba-tool ntacl sysvolreset is now much faster
+-----------------------------------------------
+
+The 'samba-tool ntacl sysvolreset' command, used on the Samba AD DC,
+is now much faster than in previous versions, after an internal
+rework.
+
+Samba now tested with CI GitLab
+-------------------------------
+
+Samba developers now have pre-commit testing available in GitLab,
+giving reviewers confidence that the submitted patches pass a full CI
+before being submitted to the Samba Team's own autobuild system.
+
+Dynamic DNS record scavenging support
+-------------------------------------
+
+It is now possible to enable scavenging of DNS Zones to remove DNS
+records that were dynamically created and have not been touched in
+some time.
+
+This support should however only be enabled on new zones or new
+installations. Sadly old Samba versions suffer from BUG 12451 and
+mark dynamic DNS records as static and static records as dynamic.
+While a dbcheck rule may be able to find these in the future,
+currently a reliable test has not been devised.
+
+Finally, there is not currently a command-line tool to enable this
+feature, currently it should be enabled from the DNS Manager tool from
+Windows. Also the feature needs to have been enabled by setting the smb.conf
+parameter "dns zone scavenging = yes".
+
+Improved support for trusted domains (as AD DC)
+-----------------------------------------------
+
+The support for trusted domains/forests has been further improved.
+
+External domain trusts, as well a transitive forest trusts,
+are supported in both directions (inbound and outbound)
+for Kerberos and NTLM authentication.
+
+The following features are new in 4.9 (compared to 4.8):
+
+- It's now possible to add users/groups of a trusted domain
+ into domain groups. The group memberships are expanded
+ on trust boundaries.
+- foreignSecurityPrincipal objects (FPO) are now automatically
+ created when members (as SID) of a trusted domain/forest
+ are added to a group.
+- The 'samba-tool group *members' commands allow
+ members to be specified as foreign SIDs.
+
+However there are currently still a few limitations:
+
+- Both sides of the trust need to fully trust each other!
+- No SID filtering rules are applied at all!
+- This means DCs of domain A can grant domain admin rights
+ in domain B.
+- Selective (CROSS_ORGANIZATION) authentication is
+ not supported. It's possible to create such a trust,
+ but the KDC and winbindd ignore them.
+- Samba can still only operate in a forest with just
+ one single domain.
+
+CTDB changes
+------------
+
+There are many changes to CTDB in this release.
+
+* Configuration has been completely overhauled
+
+ - Daemon and tool options are now specified in a new ctdb.conf
+ Samba-style configuration file. See ctdb.conf(5) for details.
+
+ - Event script configuration is no longer specified in the top-level
+ configuration file. It can now be specified per event script.
+ For example, configuration options for the 50.samba event script
+ can be placed alongside the event script in a file called
+ 50.samba.options. Script options can also be specified in a new
+ script.options file. See ctdb-script.options(5) for details.
+
+ - Options that affect CTDB startup should be configured in the
+ distribution-specific configuration file. See ctdb.sysconfig(5)
+ for details.
+
+ - Tunable settings are now loaded from ctdb.tunables. Using
+ CTDB_SET_TunableVariable=<value> in the main configuration file is
+ no longer supported. See ctdb-tunables(7) for details.
+
+ A example script to migrate an old-style configuration to the new
+ style is available in ctdb/doc/examples/config_migrate.sh.
+
+* The following configuration variables and corresponding ctdbd
+ command-line options have been removed and not replaced with
+ counterparts in the new configuration scheme:
+
+ CTDB_PIDFILE --pidfile
+ CTDB_SOCKET --socket
+ CTDB_NODES --nlist
+ CTDB_PUBLIC_ADDRESSES --public-addresses
+ CTDB_EVENT_SCRIPT_DIR --event-script-dir
+ CTDB_NOTIFY_SCRIPT --notification-script
+ CTDB_PUBLIC_INTERFACE --public-interface
+ CTDB_MAX_PERSISTENT_CHECK_ERRORS --max-persistent-check-errors
+
+ - The compile-time defaults should be used for the first 6 of these.
+ - Use a symbolic link from the configuration directory to specify a
+ different location for nodes or public_addresses (e.g. in the
+ cluster filesystem).
+ - Executable notification scripts in the notify.d/ subdirectory of
+ the configuration directory are now run by unconditionally.
+ - Interfaces for public IP addresses must always be specified in the
+ public_addresses file using the currently supported format.
+
+ Some related items that have been removed are:
+
+ - The ctdb command's --socket command-line option
+ - The ctdb command's CTDB_NODES environment variable
+
+ When writing tests there are still mechanisms available to change
+ the locations of certain directories and files.
+
+* The following ctdbd.conf and ctdbd options have been replaced by new
+ ctdb.conf options:
+
+ CTDB_LOGGING/--logging logging -> location
+ CTDB_DEBUGLEVEL/-d logging -> log level
+ CTDB_TRANSPORT/--transport cluster -> transport
+ CTDB_NODE_ADDRESS/--listen cluster -> node address
+ CTDB_RECOVERY_LOCK/--reclock cluster -> recovery lock
+ CTDB_DBDIR/--dbdir database -> volatile database directory
+ CTDB_DBDIR_PERSISTENT/--dbdir-persistent database -> peristent database directory
+ CTDB_DBDIR_STATE/--dbdir-state database -> state database directory
+ CTDB_DEBUG_LOCKS database -> lock debug script
+ CTDB_DEBUG_HUNG_SCRIPT event -> debug script
+ CTDB_NOSETSCHED/--nosetsched legacy -> realtime scheduling
+ CTDB_CAPABILITY_RECMASTER/--no-recmaster legacy -> recmaster capability
+ CTDB_CAPABILITY_LMASTER/--no-lmaster legacy -> lmaster capability
+ CTDB_START_AS_STOPPED/--start-as-stopped legacy -> start as stopped
+ CTDB_START_AS_DISABLED/--start-as-disabled legacy -> start as disabled
+ CTDB_SCRIPT_LOG_LEVEL/--script-log-level legacy -> script log level
+
+* Event scripts have moved to the scripts/legacy subdirectory of the
+ configuration directory
+
+ Event scripts must now end with a ".script" suffix.
+
+* The "ctdb event" command has changed in 2 ways:
+
+ - A component is now required for all commands
+
+ In this release the only valid component is "legacy".
+
+ - There is no longer a default event when running "ctdb event status"
+
+ Listing the status of the "monitor" event is now done via:
+
+ ctdb event status legacy monitor
+
+ See ctdb(1) for details.
+
+* The following service-related event script options have been
+ removed:
+
+ CTDB_MANAGES_SAMBA
+ CTDB_MANAGES_WINBIND
+
+ CTDB_MANAGES_CLAMD
+ CTDB_MANAGES_HTTPD
+ CTDB_MANAGES_ISCSI
+ CTDB_MANAGES_NFS
+ CTDB_MANAGES_VSFTPD
+
+ CTDB_MANAGED_SERVICES
+
+ Event scripts for services are now disabled by default. To enable
+ an event script and, therefore, manage a service use a command like
+ the following:
+
+ ctdb event script enable legacy 50.samba
+
+* Notification scripts have moved to the scripts/notification
+ subdirectory of the configuration directory
+
+ Notification scripts must now end with a ".script" suffix.
+
+* Support for setting CTDB_DBDIR=tmpfs has been removed
+
+ This feature has not been implemented in the new configuration
+ system. If this is desired then a tmpfs filesystem should be
+ manually mounted on the directory pointed to by the "volatile
+ database directory" option. See ctdb.conf(5) for more details.
+
+* The following tunable options are now ctdb.conf options:
+
+ DisabledIPFailover failover -> disabled
+ TDBMutexEnabled database -> tdb mutexes
+
+* Support for the NoIPHostOnAllDisabled tunable has been removed
+
+ If all nodes are unhealthy or disabled then CTDB will not host
+ public IP addresses. That is, CTDB now behaves as if
+ NoIPHostOnAllDisabled were set to 1.
+
+* The onnode command's CTDB_NODES_FILE environment variable has been
+ removed
+
+ The -f option can still be used to specify an alternate node file.
+
+* The 10.external event script has been removed
+
+* The CTDB_SHUTDOWN_TIMEOUT configuration variable has been removed
+
+ As with other daemons, if ctdbd does not shut down when requested
+ then manual intervention is required. There is no safe way of
+ automatically killing ctdbd after a failed shutdown.
+
+* CTDB_SUPPRESS_COREFILE and CTDB_MAX_OPEN_FILES configuration
+ variable have been removed
+
--
Samba Website Repository
More information about the samba-cvs
mailing list