[SCM] Samba Website Repository - branch master updated

Karolin Seeger kseeger at samba.org
Thu Sep 13 09:56:47 UTC 2018

The branch, master has been updated
       via  08b7a83 Add Samba 4.9.0.
       via  3586353 NEWS[4.9.0]: Samba 4.9.0 Available for Download
      from  e19bd94 NEWS[4.9.0rc5]: Samba 4.9.0rc5 Available for Download


- Log -----------------------------------------------------------------
commit 08b7a836334b6c1a60fb326d0ccee07b58338639
Author: Karolin Seeger <kseeger at samba.org>
Date:   Thu Sep 13 11:56:32 2018 +0200

    Add Samba 4.9.0.
    Signed-off-by: Karolin Seeger <kseeger at samba.org>

commit 35863537ccd77f78c84f17d88c8f1ef2510d2727
Author: Karolin Seeger <kseeger at samba.org>
Date:   Thu Sep 13 11:54:58 2018 +0200

    NEWS[4.9.0]: Samba 4.9.0 Available for Download
    Signed-off-by: Karolin Seeger <kseeger at samba.org>


Summary of changes:
 history/header_history.html                     |   1 +
 history/samba-4.9.0.html                        | 716 ++++++++++++++++++++++++
 posted_news/20180913-095552.4.9.0.body.html     |  12 +
 posted_news/20180913-095552.4.9.0.headline.html |   3 +
 4 files changed, 732 insertions(+)
 create mode 100644 history/samba-4.9.0.html
 create mode 100644 posted_news/20180913-095552.4.9.0.body.html
 create mode 100644 posted_news/20180913-095552.4.9.0.headline.html

Changeset truncated at 500 lines:

diff --git a/history/header_history.html b/history/header_history.html
index 67350ec..33c30fe 100755
--- a/history/header_history.html
+++ b/history/header_history.html
@@ -9,6 +9,7 @@
 		<li><a href="/samba/history/">Release Notes</a>
 		<li class="navSub">
+			<li><a href="samba-4.9.0.html">samba-4.9.0</a></li>
 			<li><a href="samba-4.8.5.html">samba-4.8.5</a></li>
 			<li><a href="samba-4.8.4.html">samba-4.8.4</a></li>
 			<li><a href="samba-4.8.3.html">samba-4.8.3</a></li>
diff --git a/history/samba-4.9.0.html b/history/samba-4.9.0.html
new file mode 100644
index 0000000..88270e0
--- /dev/null
+++ b/history/samba-4.9.0.html
@@ -0,0 +1,716 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<title>Samba 4.9.0 - Release Notes</title>
+<H2>Samba 4.9.0 Available for Download</H2>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.9.0.tar.gz">Samba 4.9.0 (gzipped)</a><br>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.9.0.tar.asc">Signature</a>
+                   =============================
+                   Release Notes for Samba 4.9.0
+                        September 13, 2018
+		   =============================
+This is the first stable release of the Samba 4.9 release series.
+Please read the release notes carefully before upgrading.
+'net ads setspn'
+There is a new 'net ads setspn' sub command for managing Windows SPN(s)
+on the AD. This command aims to give the basic functionality that is
+provided on windows by 'setspn.exe' e.g. ability to add, delete and list
+Windows SPN(s) stored in a Windows AD Computer object.
+The format of the command is:
+net ads setspn list [machine]
+net ads setspn [add | delete ] SPN [machine]
+'machine' is the name of the computer account on the AD that is to be managed.
+If 'machine' is not specified the name of the 'client' running the command
+is used instead.
+The format of a Windows SPN is
+  'serviceclass/host:port/servicename' (servicename and port are optional)
+serviceclass/host is generally sufficient to specify a host based service.
+'net ads keytab' changes
+net ads keytab add no longer attempts to convert the passed serviceclass
+(e.g. nfs, html etc.) into a Windows SPN which is added to the Windows AD
+computer object. By default just the keytab file is modified.
+A new keytab subcommand 'add_update_ads' has been added to preserve the
+legacy behaviour. However the new 'net ads setspn add' subcommand should
+really be used instead.
+net ads keytab create no longer tries to generate SPN(s) from existing
+entries in a keytab file. If it is required to add Windows SPN(s) then
+'net ads setspn add' should be used instead.
+Local authorization plugin for MIT Kerberos
+This plugin controls the relationship between Kerberos principals and AD
+accounts through winbind. The module receives the Kerberos principal and the
+local account name as inputs and can then check if they match. This can resolve
+issues with canonicalized names returned by Kerberos within AD. If the user
+tries to log in as 'alice', but the samAccountName is set to ALICE (uppercase),
+Kerberos would return ALICE as the username. Kerberos would not be able to map
+'alice' to 'ALICE' in this case and auth would fail.  With this plugin, account
+names can be correctly mapped. This only applies to GSSAPI authentication,
+not for getting the initial ticket granting ticket.
+VFS audit modules
+The vfs_full_audit module has changed its default set of monitored successful
+and failed operations from "all" to "none". That helps to prevent potential
+denial of service caused by simple addition of the module to the VFS objects.
+Also, modules vfs_audit, vfs_ext_audit and vfs_full_audit now accept any valid
+syslog(3) facility, in accordance with the manual page.
+Database audit support
+Changes to the Samba AD's sam.ldb database are now logged to Samba's debug log
+under the "dsdb_audit" debug class and "dsdb_json_audit" for JSON formatted log
+Transaction commits and roll backs are now logged to Samba's debug logs under
+the "dsdb_transaction_audit" debug class and "dsdb_transaction_json_audit" for
+JSON formatted log entries.
+Password change audit support
+Password changes in the AD DC are now logged to Samba's debug logs under the
+"dsdb_password_audit" debug class and "dsdb_password_json_audit" for JSON
+formatted log entries.
+Group membership change audit support
+Group membership changes on the AD DC are now logged to
+Samba's debug log under the "dsdb_group_audit" debug class and
+"dsdb_group_json_audit" for JSON formatted log entries.
+Log Authentication duration
+For NTLM and Kerberos KDC authentication, the authentication duration is now
+logged. Note that the duration is only included in the JSON formatted log
+JSON library Jansson required for the AD DC
+By default, the Jansson JSON library is required for Samba to build.
+It is strictly required for the Samba AD DC, and is optional for
+builds "--without-ad-dc" by specifying "--without-json-audit" at configure
+New experimental LMDB LDB backend
+A new experimental LDB backend using LMDB is now available. This allows
+databases larger than 4Gb (Currently the limit is set to 6Gb, but this will be
+increased in a future release). To enable lmdb, provision or join a domain using
+the "--backend-store=mdb" option.
+This requires that a version of lmdb greater than 0.9.16 is installed and that
+samba has not been built with the "--without-ldb-lmdb" option.
+Please note this is an experimental feature and is not recommended for
+production deployments.
+Password Settings Objects
+Support has been added for Password Settings Objects (PSOs). This AD feature is
+also known as Fine-Grained Password Policies (FGPP).
+PSOs allow AD administrators to override the domain password policy settings
+for specific users, or groups of users. For example, PSOs can force certain
+users to have longer password lengths, or relax the complexity constraints for
+other users, and so on. PSOs can be applied to groups or to individual users.
+When multiple PSOs apply to the same user, essentially the PSO with the best
+precedence takes effect.
+PSOs can be configured and applied to users/groups using the 'samba-tool domain
+passwordsettings pso' set of commands.
+Domain backup and restore
+A new 'samba-tool' subcommand has been added that allows administrators to
+create a backup-file of their domain DB. In the event of a catastrophic failure
+of the domain, this backup-file can be used to restore Samba services.
+The new 'samba-tool domain backup online' command takes a snapshot of the
+domain DB from a given DC. In the event of a catastrophic DB failure, all DCs
+in the domain should be taken offline, and the backup-file can then be used to
+recreate a fresh new DC, using the 'samba-tool domain backup restore' command.
+Once the backed-up domain DB has been restored on the new DC, other DCs can
+then subsequently be joined to the new DC, in order to repopulate the Samba
+Domain rename tool
+Basic support has been added for renaming a Samba domain. The rename feature is
+designed for the following cases:
+1). Running a temporary alternate domain, in the event of a catastrophic
+failure of the regular domain. Using a completely different domain name and
+realm means that the original domain and the renamed domain can both run at the
+same time, without interfering with each other. This is an advantage over
+creating a regular 'online' backup - it means the renamed/alternate domain can
+provide core Samba network services, while trouble-shooting the fault on the
+original domain can be done in parallel.
+2). Creating a realistic lab domain or pre-production domain for testing.
+Note that the renamed tool is currently not intended to support a long-term
+rename of the production domain. Currently renaming the GPOs is not supported
+and would need to be done manually.
+The domain rename is done in two steps: first, the 'samba-tool domain backup
+rename' command will clone the domain DB, renaming it in the process, and
+producing a backup-file. Then, the 'samba-tool domain backup restore' command
+takes the backup-file and restores the renamed DB to disk on a fresh DC.
+New samba-tool options for diagnosing DRS replication issues
+The 'samba-tool drs showrepl' command has two new options controlling
+the output. With --summary, the command says very little when DRS
+replication is working well. With --json, JSON is produced. These
+options are intended for human and machine audiences, respectively.
+The 'samba-tool visualize uptodateness' visualizes replication lag as
+a heat-map matrix based on the DRS uptodateness vectors. This will
+show you if (but not why) changes are failing to replicate to some DCs.
+Automatic site coverage and GetDCName improvements
+Samba's AD DC now automatically claims otherwise empty sites based on
+which DC is the nearest in the replication topology.
+This, combined with efforts to correctly identify the client side in
+the GetDCName Netlogon call will improve service to sites without a
+local DC.
+Improved 'samba-tool computer' command
+The 'samba-tool computer' command allow manipulation of computer
+accounts including creating a new computer and resetting the password.
+This allows an 'offline join' of a member server or workstation to the
+Samba AD domain.
+New 'samba-tool ou' command
+The new 'samba-tool ou' command allows to manage organizational units.
+Available subcommands are:
+  create       - Create an organizational unit.
+  delete       - Delete an organizational unit.
+  list         - List all organizational units
+  listobjects  - List all objects in an organizational unit.
+  move         - Move an organizational unit.
+  rename       - Rename an organizational unit.
+In addition to the ou commands, there are new subcommands for the user
+and group management, which can make use of the organizational units:
+  group move   - Move a group to an organizational unit/container.
+  user move    - Move a user to an organizational unit/container.
+  user show    - Display a user AD object.
+Samba performance tool now operates against Microsoft Windows AD
+The Samba AD performance testing tool 'traffic_reply' can now operate
+against a Windows based AD domain.  Previously it only operated
+correctly against Samba.
+DNS entries are now cleaned up during DC demote
+DNS records are now cleaned up as part of the 'samba-tool domain
+demote' including both the default and '--remove-other-dead-server'
+Additionally, DNS records can be automatically cleaned up for a given
+name with the 'samba-tool dns cleanup' command, which aids in cleaning
+up partially removed DCs.
+samba-tool ntacl sysvolreset is now much faster
+The 'samba-tool ntacl sysvolreset' command, used on the Samba AD DC,
+is now much faster than in previous versions, after an internal
+Samba now tested with CI GitLab
+Samba developers now have pre-commit testing available in GitLab,
+giving reviewers confidence that the submitted patches pass a full CI
+before being submitted to the Samba Team's own autobuild system.
+Dynamic DNS record scavenging support
+It is now possible to enable scavenging of DNS Zones to remove DNS
+records that were dynamically created and have not been touched in
+some time.
+This support should however only be enabled on new zones or new
+installations.  Sadly old Samba versions suffer from BUG 12451 and
+mark dynamic DNS records as static and static records as dynamic.
+While a dbcheck rule may be able to find these in the future,
+currently a reliable test has not been devised.
+Finally, there is not currently a command-line tool to enable this
+feature, currently it should be enabled from the DNS Manager tool from
+Windows. Also the feature needs to have been enabled by setting the smb.conf
+parameter "dns zone scavenging = yes".
+Improved support for trusted domains (as AD DC)
+The support for trusted domains/forests has been further improved.
+External domain trusts, as well a transitive forest trusts,
+are supported in both directions (inbound and outbound)
+for Kerberos and NTLM authentication.
+The following features are new in 4.9 (compared to 4.8):
+- It's now possible to add users/groups of a trusted domain
+  into domain groups. The group memberships are expanded
+  on trust boundaries.
+- foreignSecurityPrincipal objects (FPO) are now automatically
+  created when members (as SID) of a trusted domain/forest
+  are added to a group.
+- The 'samba-tool group *members' commands allow
+  members to be specified as foreign SIDs.
+However there are currently still a few limitations:
+- Both sides of the trust need to fully trust each other!
+- No SID filtering rules are applied at all!
+- This means DCs of domain A can grant domain admin rights
+  in domain B.
+- Selective (CROSS_ORGANIZATION) authentication is
+  not supported. It's possible to create such a trust,
+  but the KDC and winbindd ignore them.
+- Samba can still only operate in a forest with just
+  one single domain.
+CTDB changes
+There are many changes to CTDB in this release.
+* Configuration has been completely overhauled
+  - Daemon and tool options are now specified in a new ctdb.conf
+    Samba-style configuration file.  See ctdb.conf(5) for details.
+  - Event script configuration is no longer specified in the top-level
+    configuration file.  It can now be specified per event script.
+    For example, configuration options for the 50.samba event script
+    can be placed alongside the event script in a file called
+    50.samba.options.  Script options can also be specified in a new
+    script.options file.  See ctdb-script.options(5) for details.
+  - Options that affect CTDB startup should be configured in the
+    distribution-specific configuration file.  See ctdb.sysconfig(5)
+    for details.
+  - Tunable settings are now loaded from ctdb.tunables.  Using
+    CTDB_SET_TunableVariable=<value> in the main configuration file is
+    no longer supported.  See ctdb-tunables(7) for details.
+  A example script to migrate an old-style configuration to the new
+  style is available in ctdb/doc/examples/config_migrate.sh.
+* The following configuration variables and corresponding ctdbd
+  command-line options have been removed and not replaced with
+  counterparts in the new configuration scheme:
+    CTDB_PIDFILE                     --pidfile
+    CTDB_SOCKET			     --socket
+    CTDB_NODES			     --nlist
+    CTDB_PUBLIC_ADDRESSES	     --public-addresses
+    CTDB_EVENT_SCRIPT_DIR	     --event-script-dir
+    CTDB_NOTIFY_SCRIPT		     --notification-script
+    CTDB_PUBLIC_INTERFACE	     --public-interface
+    CTDB_MAX_PERSISTENT_CHECK_ERRORS --max-persistent-check-errors
+  - The compile-time defaults should be used for the first 6 of these.
+  - Use a symbolic link from the configuration directory to specify a
+    different location for nodes or public_addresses (e.g. in the
+    cluster filesystem).
+  - Executable notification scripts in the notify.d/ subdirectory of
+    the configuration directory are now run by unconditionally.
+  - Interfaces for public IP addresses must always be specified in the
+    public_addresses file using the currently supported format.
+  Some related items that have been removed are:
+  - The ctdb command's --socket command-line option
+  - The ctdb command's CTDB_NODES environment variable
+  When writing tests there are still mechanisms available to change
+  the locations of certain directories and files.
+* The following ctdbd.conf and ctdbd options have been replaced by new
+  ctdb.conf options:
+    CTDB_LOGGING/--logging                     logging  -> location
+    CTDB_DEBUGLEVEL/-d                         logging  -> log level
+    CTDB_TRANSPORT/--transport                 cluster  -> transport
+    CTDB_NODE_ADDRESS/--listen                 cluster  -> node address
+    CTDB_RECOVERY_LOCK/--reclock               cluster  -> recovery lock
+    CTDB_DBDIR/--dbdir                         database -> volatile database directory
+    CTDB_DBDIR_PERSISTENT/--dbdir-persistent   database -> peristent database directory
+    CTDB_DBDIR_STATE/--dbdir-state             database -> state database directory
+    CTDB_DEBUG_LOCKS                           database -> lock debug script
+    CTDB_DEBUG_HUNG_SCRIPT                     event    -> debug script
+    CTDB_NOSETSCHED/--nosetsched               legacy   -> realtime scheduling
+    CTDB_CAPABILITY_RECMASTER/--no-recmaster   legacy   -> recmaster capability
+    CTDB_CAPABILITY_LMASTER/--no-lmaster       legacy   -> lmaster capability
+    CTDB_START_AS_STOPPED/--start-as-stopped   legacy   -> start as stopped
+    CTDB_START_AS_DISABLED/--start-as-disabled legacy   -> start as disabled
+    CTDB_SCRIPT_LOG_LEVEL/--script-log-level   legacy   -> script log level
+* Event scripts have moved to the scripts/legacy subdirectory of the
+  configuration directory
+  Event scripts must now end with a ".script" suffix.
+* The "ctdb event" command has changed in 2 ways:
+  - A component is now required for all commands
+    In this release the only valid component is "legacy".
+  - There is no longer a default event when running "ctdb event status"
+    Listing the status of the "monitor" event is now done via:
+      ctdb event status legacy monitor
+   See ctdb(1) for details.
+* The following service-related event script options have been
+  removed:
+  Event scripts for services are now disabled by default.  To enable
+  an event script and, therefore, manage a service use a command like
+  the following:
+    ctdb event script enable legacy 50.samba
+* Notification scripts have moved to the scripts/notification
+  subdirectory of the configuration directory
+  Notification scripts must now end with a ".script" suffix.
+* Support for setting CTDB_DBDIR=tmpfs has been removed
+  This feature has not been implemented in the new configuration
+  system.  If this is desired then a tmpfs filesystem should be
+  manually mounted on the directory pointed to by the "volatile
+  database directory" option.  See ctdb.conf(5) for more details.
+* The following tunable options are now ctdb.conf options:
+    DisabledIPFailover    failover -> disabled
+    TDBMutexEnabled       database -> tdb mutexes
+* Support for the NoIPHostOnAllDisabled tunable has been removed
+  If all nodes are unhealthy or disabled then CTDB will not host
+  public IP addresses.  That is, CTDB now behaves as if
+  NoIPHostOnAllDisabled were set to 1.
+* The onnode command's CTDB_NODES_FILE environment variable has been
+  removed
+  The -f option can still be used to specify an alternate node file.
+* The 10.external event script has been removed
+* The CTDB_SHUTDOWN_TIMEOUT configuration variable has been removed
+  As with other daemons, if ctdbd does not shut down when requested
+  then manual intervention is required.  There is no safe way of
+  automatically killing ctdbd after a failed shutdown.
+  variable have been removed

Samba Website Repository

More information about the samba-cvs mailing list