[SCM] Samba Website Repository - branch master updated
Karolin Seeger
kseeger at samba.org
Tue Sep 17 08:38:23 UTC 2019
The branch, master has been updated
via a9613c0 Add Samba 4.11.0.
via de39764 NEWS[4.11.0]: Samba 4.11.0 Available for Download
from 5a5353a support: Add Björn Baumbach and update information.
https://git.samba.org/?p=samba-web.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit a9613c0f5841c61822cf4193cfb61b536ecac87e
Author: Karolin Seeger <kseeger at samba.org>
Date: Tue Sep 17 10:38:04 2019 +0200
Add Samba 4.11.0.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit de39764559e70773e47bb523cbe193fe5504309f
Author: Karolin Seeger <kseeger at samba.org>
Date: Tue Sep 17 10:36:25 2019 +0200
NEWS[4.11.0]: Samba 4.11.0 Available for Download
Signed-off-by: Karolin Seeger <kseeger at samba.org>
-----------------------------------------------------------------------
Summary of changes:
history/header_history.html | 1 +
history/samba-4.11.0.html | 481 +++++++++++++++++++++++
posted_news/20190917-083736.4.11.0.body.html | 12 +
posted_news/20190917-083736.4.11.0.headline.html | 3 +
4 files changed, 497 insertions(+)
create mode 100644 history/samba-4.11.0.html
create mode 100644 posted_news/20190917-083736.4.11.0.body.html
create mode 100644 posted_news/20190917-083736.4.11.0.headline.html
Changeset truncated at 500 lines:
diff --git a/history/header_history.html b/history/header_history.html
index cd921ff..a10d780 100755
--- a/history/header_history.html
+++ b/history/header_history.html
@@ -9,6 +9,7 @@
<li><a href="/samba/history/">Release Notes</a>
<li class="navSub">
<ul>
+ <li><a href="samba-4.11.0.html">samba-4.11.0</a></li>
<li><a href="samba-4.10.8.html">samba-4.10.8</a></li>
<li><a href="samba-4.10.7.html">samba-4.10.7</a></li>
<li><a href="samba-4.10.6.html">samba-4.10.6</a></li>
diff --git a/history/samba-4.11.0.html b/history/samba-4.11.0.html
new file mode 100644
index 0000000..f25feb0
--- /dev/null
+++ b/history/samba-4.11.0.html
@@ -0,0 +1,481 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>Samba 4.11.0 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.11.0 Available for Download</H2>
+<p>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.11.0.tar.gz">Samba 4.11.0 (gzipped)</a><br>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.11.0.tar.asc">Signature</a>
+</p>
+<p>
+<pre>
+ ==============================
+ Release Notes for Samba 4.11.0
+ September 17, 2019
+ ==============================
+
+
+This is the first stable release of the Samba 4.11 release series.
+Please read the release notes carefully before upgrading.
+
+
+UPGRADING
+=========
+
+AD Database compatibility
+-------------------------
+
+Samba 4.11 has changed how the AD database is stored on disk. AD users should
+not really be affected by this change when upgrading to 4.11. However, AD
+users should be extremely careful if they need to downgrade from Samba 4.11 to
+an older release.
+
+Samba 4.11 maintains database compatibility with older Samba releases. The
+database will automatically get rewritten in the new 4.11 format when you
+first start the upgraded samba executable.
+
+However, when downgrading from 4.11 you will need to manually downgrade the AD
+database yourself. Note that you will need to do this step before you install
+the downgraded Samba packages. For more details, see:
+https://wiki.samba.org/index.php/Downgrading_an_Active_Directory_DC
+
+When either upgrading or downgrading, users should also avoid making any
+database modifications between installing the new Samba packages and starting
+the samba executable.
+
+SMB1 is disabled by default
+---------------------------
+
+The defaults of 'client min protocol' and 'server min protocol'
+have been changed to SMB2_02.
+
+This means clients without support for SMB2 or SMB3 are no longer
+able to connect to smbd (by default).
+
+It also means client tools like smbclient and other,
+as well as applications making use of libsmbclient are no longer
+able to connect to servers without SMB2 or SMB3 support (by default).
+
+It's still possible to allow SMB1 dialects, e.g. NT1, LANMAN2
+and LANMAN1 for client and server, as well as CORE and COREPLUS on
+the client.
+
+Note that most commandline tools e.g. smbclient, smbcacls and others
+also support the '--option' argument to overwrite smb.conf options,
+e.g. --option='client min protocol=NT1' might be useful.
+
+As Microsoft no longer installs SMB1 support in recent releases
+or uninstalls it after 30 days without usage, the Samba Team
+tries to get remove the SMB1 usage as much as possible.
+
+SMB1 is officially deprecated and might be removed step by step
+in the following years. If you have a strong requirement for SMB1
+(except for supporting old Linux Kernels), please file a bug
+at https://bugzilla.samba.org and let us know about the details.
+
+LanMan and plaintext authentication deprecated
+----------------------------------------------
+
+The "lanman auth" and "encrypt passwords" parameters are deprecated
+with this release as both are only applicable to SMB1 and are quite
+insecure. NTLM, NTLMv2 and Kerberos authentication are unaffected, as
+"encrypt passwords = yes" has been the default since Samba 3.0.0.
+
+If you have a strong requirement for these authentication protocols,
+please file a bug at https://bugzilla.samba.org and let us know about
+the details.
+
+BIND9_FLATFILE deprecated
+-------------------------
+
+The BIND9_FLATFILE DNS backend is deprecated in this release and will
+be removed in the future. This was only practically useful on a single
+domain controller or under expert care and supervision.
+
+This release therefore deprecates the "rndc command" smb.conf
+parameter, which is used to support this configuration. After writing
+out a list of DCs permitted to make changes to the DNS Zone "rndc
+command" is called with reload to tell the 'named' server if a DC was
+added/removed to to the domain.
+
+
+NEW FEATURES/CHANGES
+====================
+
+Default samba process model
+---------------------------
+
+The default for the '--model' argument passed to the samba executable has changed
+from 'standard' to 'prefork'. This means a difference in the number of samba
+child processes that are created to handle client connections. The previous
+default would create a separate process for every LDAP or NETLOGON client
+connection. For a network with a lot of persistent client connections, this
+could result in significant memory overhead. Now, with the new default of
+'prefork', the LDAP, NETLOGON, and KDC services will create a fixed number of
+worker processes at startup and share the client connections amongst these
+workers. The number of worker processes can be configured by the 'prefork
+children' setting in the smb.conf (the default is 4).
+
+Authentication Logging
+----------------------
+
+Winbind now logs PAM_AUTH and NTLM_AUTH events, a new attribute "logonId" has
+been added to the Authentication JSON log messages. This contains a random
+logon id that is generated for each PAM_AUTH and NTLM_AUTH request and is passed
+to SamLogon, linking the windbind and SamLogon requests.
+
+The serviceDescription of the messages is set to "winbind", the authDescription
+is set to one of:
+ "PASSDB, <command>, <pid>"
+ "PAM_AUTH, <command>, <pid>"
+ "NTLM_AUTH, <command>, <pid>"
+where:
+ <command> is the name of the command makinmg the winbind request i.e. wbinfo
+ <pid> is the process id of the requesting process.
+
+The version of the JSON Authentication messages has been changed from 1.1 to
+1.2.
+
+LDAP referrals
+--------------
+
+The scheme of returned LDAP referrals now reflects the scheme of the original
+request, i.e. referrals received via ldap are prefixed with "ldap://"
+and those over ldaps are prefixed with "ldaps://".
+
+Previously all referrals were prefixed with "ldap://".
+
+Bind9 logging
+-------------
+
+It is now possible to log the duration of DNS operations performed by Bind9.
+This should aid future diagnosis of performance issues and could be used to
+monitor DNS performance. The logging is enabled by setting log level to
+"dns:10" in smb.conf.
+
+The logs are currently human readable text only, i.e. no JSON formatted output.
+
+Log lines are of the form:
+
+ <function>: DNS timing: result: [<result>] duration: (<duration>)
+ zone: [<zone>] name: [<name>] data: [<data>]
+
+ durations are in microseconds.
+
+Default schema updated to 2012_R2
+---------------------------------
+
+Default AD schema changed from 2008_R2 to 2012_R2. 2012_R2 functional level
+is not yet available. Older schemas can be used by provisioning with the
+'--base-schema' argument. Existing installations can be updated with the
+samba-tool command "domain schemaupgrade".
+
+Samba's replication code has also been improved to handle replication
+with the 2012 schema (the core of this replication fix has also been
+backported to 4.9.11 and will be in a 4.10.x release).
+
+For more about how the AD schema relates to overall Windows compatibility,
+please read:
+https://wiki.samba.org/index.php/Windows_2012_Server_compatibility
+
+GnuTLS 3.2 required
+-------------------
+
+Samba is making efforts to remove in-tree cryptographic functionality,
+and to instead rely on externally maintained libraries. To this end,
+Samba has chosen GnuTLS as our standard cryptographic provider.
+
+Samba now requires GnuTLS 3.2 to be installed (including development
+headers at build time) for all configurations, not just the Samba AD
+DC.
+
+NOTE WELL: The use of GnuTLS means that Samba will honour the
+system-wide 'FIPS mode' (a reference to the US FIPS-140 cryptographic
+standard) and so will not operate in many still common situations if
+this system-wide parameter is in effect, as many of our protocols rely
+on outdated cryptography.
+
+A future Samba version will mitigate this to some extent where good
+cryptography effectively wraps bad cryptography, but for now that above
+applies.
+
+samba-tool improvements
+-----------------------
+
+A new "samba-tool contact" command has been added to allow the
+command-line manipulation of contacts, as used for address book
+lookups in LDAP.
+
+The "samba-tool [user|group|computer|group|contact] edit" command has been
+improved to operate more pleasantly on international character sets.
+
+100,000 USER and LARGER Samba AD DOMAINS
+========================================
+
+Extensive efforts have been made to optimise Samba for use in
+organisations (for example) targeting 100,000 users, plus 120,000
+computer objects, as well as large number of group memberships.
+
+Many of the specific efforts are detailed below, but the net results
+is to remove barriers to significantly larger Samba deployments
+compared to previous releases.
+
+Reindex performance improvements
+--------------------------------
+
+The performance of samba-tool dbcheck --reindex has been improved,
+especially for large domains.
+
+join performance improvements
+-----------------------------
+
+The performance of samba-tool domain join has been improved,
+especially for large domains.
+
+LDAP Server memory improvements
+-------------------------------
+
+The LDAP server has improved memory efficiency, ensuring that large
+LDAP responses (for example a search for all objects) is not copied
+multiple times into memory.
+
+Setting lmdb map size
+---------------------
+
+It is now possible to set the lmdb map size (the maximum permitted
+size for the database). "samba-tool" now accepts the
+"--backend-store-size" i.e. --backend-store-size=4Gb. If not
+specified it defaults to 8Gb.
+
+This option is avaiable for the following sub commands:
+ * domain provision
+ * domain join
+ * domain dcpromo
+ * drs clone-dc-database
+
+LDB "batch_mode"
+----------------
+
+To improve performance during batch operations i.e. joins, ldb now
+accepts a "batch_mode" option. However to prevent any index or
+database inconsistencies if an operation fails, the entire transaction
+will be aborted at commit.
+
+New LDB pack format
+-------------------
+
+On first use (startup of 'samba' or the first transaction write)
+Samba's sam.ldb will be updated to a new more efficient pack format.
+This will take a few moments.
+
+New LDB <= and >= index mode to improve replication performance
+---------------------------------------------------------------
+
+As well as a new pack format, Samba's sam.ldb uses a new index format
+allowing Samba to efficiently select objects changed since the last
+replication cycle. This in turn improves performance during
+replication of large domains.
+
+https://wiki.samba.org/index.php/LDB_Greater_than_and_Less_than_indexing
+
+Improvements to ldb search performance
+--------------------------------------
+
+Search performance on large LDB databases has been improved by
+reducing memory allocations made on each object.
+
+Improvements to subtree rename performance
+------------------------------------------
+
+Improvements have been made to Samba's handling of subtree renames,
+for example of containers and organisational units, however large
+renames are still not recommended.
+
+CTDB changes
+============
+
+* nfs-linux-kernel-callout now defaults to using systemd service names
+
+ The Red Hat service names continue to be the default.
+
+ Other distributions should patch this file when packaging it.
+
+* The onnode -o option has been removed
+
+* ctdbd logs when it is using more than 90% of a CPU thread
+
+ ctdbd is single threaded, so can become saturated if it uses the
+ full capacity of a CPU thread. To help detect this situation, ctdbd
+ now logs messages when CPU utilisation exceeds 90%. Each change in
+ CPU utilisation over 90% is logged. A message is also logged when
+ CPU utilisation drops below the 90% threshold.
+
+* Script configuration variable CTDB_MONITOR_SWAP_USAGE has been removed
+
+ 05.system.script now monitors total memory (i.e. physical memory +
+ swap) utilisation using the existing CTDB_MONITOR_MEMORY_USAGE
+ script configuration variable.
+
+CephFS Snapshot Integration
+---------------------------
+
+CephFS snapshots can now be exposed as previous file versions using the new
+ceph_snapshots VFS module. See the vfs_ceph_snapshots(8) man page for details.
+
+
+REMOVED FEATURES
+================
+
+Web server
+----------
+
+As a leftover from work related to the Samba Web Administration Tool (SWAT),
+Samba still supported a Python WSGI web server (which could still be turned on
+from the 'server services' smb.conf parameter). This service was unused and has
+now been removed from Samba.
+
+samba-tool join subdomain
+-------------------------
+
+The subdomain role has been removed from the join command. This option did
+not work and has no tests.
+
+Python2 support
+---------------
+
+Samba 4.11 will not have any runtime support for Python 2.
+
+If you are building Samba using the '--disable-python' option
+(i.e. you're excluding all the run-time Python support), then this
+will continue to work on a system that supports either python2 or
+python3.
+
+To build Samba with python2 you *must* set the 'PYTHON' environment
+variable for both the 'configure' and 'make' steps, i.e.
+ 'PYTHON=python2 ./configure'
+ 'PYTHON=python2 make'
+This will override the python3 default.
+
+Except for this specific build-time use of python2, Samba now requires
+Python 3.4 as a minimum.
+
+smb.conf changes
+================
+
+ Parameter Name Description Default
+ -------------- ----------- -------
+
+ allocation roundup size Default changed/ 0
+ Deprecated
+ client min protocol Changed default SMB2_02
+ server min protocol Changed default SMB2_02
+ mangled names Changed default illegal
+ web port Removed
+ fruit:zero_file_id Changed default False
+ debug encryption New: dump encryption keys False
+ rndc command Deprecated
+ lanman auth Deprecated
+ encrypt passwords Deprecated
+
+
+CHANGES SINCE 4.11.0rc4
+=======================
+
+
+CHANGES SINCE 4.11.0rc3
+=======================
+
+o Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
+ * BUG 14049: ldb: Don't try to save a value that isn't there.
+ * ldb_dn: Free dn components on explode failure.
+ * ldb: Do not allow adding a DN as a base to itself.
+
+o Andrew Bartlett <abartlet at samba.org>
+ * ldb: Release ldb 2.0.7.
+ * BUG 13695: ldb: Correct Pigeonhole principle validation in
+ ldb_filter_attrs().
+ * BUG 14049: Fix ldb dn crash.
+ * BUG 14117: Deprecate "lanman auth = yes" and "encrypt passwords = no".
+
+o Ralph Boehme <slow at samba.org>
+ * BUG 14038: Fix compiling ctdb on older systems lacking POSIX robust
+ mutexes.
+ * BUG 14121: smbd returns bad File-ID on filehandle used to create a file or
+ directory.
+
+o Poornima G <pgurusid at redhat.com>
+ * BUG 14098: vfs_glusterfs: Use pthreadpool for scheduling aio operations.
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 14055: Add the target server name of SMB 3.1.1 connections as a hint to
+ load balancers or servers with "multi-tenancy" support.
+ * BUG 14113: Fix byte range locking bugs/regressions.
+
+o Swen Schillig <swen at linux.ibm.com>
+ * ldb: Fix mem-leak if talloc_realloc fails.
+
+o Evgeny Sinelnikov <sin at altlinux.org>
+ * BUG 14007: Fix join with don't exists machine account.
+
+o Martin Schwenke <martin at meltin.net>
+ * BUG 14085: ctdb-recoverd: Only check for LMASTER nodes in the VNN map.
+
+
+CHANGES SINCE 4.11.0rc2
+=======================
+
+o Michael Adam <obnox at samba.org>
+ * BUG 13972: Different Device Id for GlusterFS FUSE mount is causing data
+ loss in CTDB cluster.
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 14035: CVE-2019-10197: Permissions check deny can allow user to escape
+ from the share.
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 14059: ldb: Release ldb 2.0.6 (log database repack so users know what
+ is happening).
+ * BUG 14092: docs: Deprecate "rndc command" for Samba 4.11.
+
+o Tim Beale <timbeale at catalyst.net.nz>
+ * BUG 14059: ldb: Free memory when repacking database.
+
+o Ralph Boehme <slow at samba.org>
+ * BUG 14089: vfs_default: Use correct flag in vfswrap_fs_file_id.
+ * BUG 14090: vfs_glusterfs: Initialize st_ex_file_id, st_ex_itime and
+ st_ex_iflags.
+
+o Anoop C S <anoopcs at redhat.com>
+ * BUG 14093: vfs_glusterfs: Enable profiling for file system operations.
+
+o Aaron Haslett <aaronhaslett at catalyst.net.nz>
+ * BUG 14059: Backport sambadowngradedatabase for v4.11.
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 14035: CVE-2019-10197: Permissions check deny can allow user to escape
+ from the share.
+
+o Christof Schmitt <cs at samba.org>
+ * BUG 14032: vfs_gpfs: Implement special case for denying owner access to
+ ACL.
+
+o Martin Schwenke <martin at meltin.net>
+ * BUG 14084: Avoid marking a node as connected before it can receive packets.
+ * BUG 14086: Fix onnode test failure with ShellCheck >= 0.4.7.
+ * BUG 14087: ctdb-daemon: Stop "ctdb stop" from completing before freezing
+ databases.
+
+
+KNOWN ISSUES
+============
+
+https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.11#Release_blocking_bugs
+
+
+</pre>
+</p>
+</body>
+</html>
diff --git a/posted_news/20190917-083736.4.11.0.body.html b/posted_news/20190917-083736.4.11.0.body.html
--
Samba Website Repository
More information about the samba-cvs
mailing list