[Announce] Samba 4.5.0 Available for Download
Jeff Sadowski
jeff.sadowski at gmail.com
Wed Sep 7 15:31:36 UTC 2016
Does this push 4.2.x to discontinued?
On Wed, Sep 7, 2016 at 9:06 AM, Stefan Metzmacher <metze at samba.org> wrote:
> ======================================================
> "It does not matter how slowly you go
> as long as you do not stop."
>
> Confucius
> ======================================================
>
>
> Release Announcements
> ---------------------
>
> This is the first stable release of the Samba 4.5 release series.
>
>
> UPGRADING
> =========
>
> NTLMv1 authentication disabled by default
> -----------------------------------------
>
> In order to improve security we have changed
> the default value for the "ntlm auth" option from
> "yes" to "no". This may have impact on very old
> clients which doesn't support NTLMv2 yet.
>
> The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.
>
> By default, Samba will only allow NTLMv2 via NTLMSSP now,
> as we have the following default "lanman auth = no",
> "ntlm auth = no" and "raw NTLMv2 auth = no".
>
>
> NEW FEATURES/CHANGES
> ====================
>
> Support for LDAP_SERVER_NOTIFICATION_OID
> ----------------------------------------
>
> The ldap server has support for the LDAP_SERVER_NOTIFICATION_OID
> control. This can be used to monitor the Active Directory database
> for changes.
>
> KCC improvements for sparse network replication
> -----------------------------------------------
>
> The Samba KCC will now be the default knowledge consistency checker in
> Samba AD. Instead of using full mesh replication between every DC, the
> KCC will set up connections to optimize replication latency and cost
> (using site links to calculate the routes). This change should allow
> larger domains to function significantly better in terms of replication
> traffic and the time spent performing DRS replication.
>
> VLV - Virtual List View
> -----------------------
>
> The VLV Control allows applications to page the LDAP directory in the
> way you might expect a live phone book application to operate, without
> first downloading the entire directory.
>
> DRS Replication for the AD DC
> -----------------------------
>
> DRS Replication in Samba 4.5 is now much more efficient in handling
> linked attributes, particularly in large domains with over 1000 group
> memberships or other links.
>
> Replication is also much more reliable in the handling of tree
> renames, such as the rename of an organizational unit containing many
> users. Extensive tests have been added to ensure this code remains
> reliable, particularly in the case of conflicts between objects added
> with the same name on different servers.
>
> Schema updates are also handled much more reliably.
>
> samba-tool drs replicate with new options
> -----------------------------------------
>
> 'samba-tool drs replicate' got two new options:
>
> The option '--local-online' will do the DsReplicaSync() via IRPC
> to the local dreplsrv service.
>
> The option '--async-op' will add DRSUAPI_DRS_ASYNC_OP to the
> DsReplicaSync(), which won't wait for the replication result.
>
> replPropertyMetaData Changes
> ----------------------------
>
> During the development of the DRS replication, tests showed that Samba
> stores the replPropertyMetaData object incorrectly. To address this,
> be aware that 'dbcheck' will now detect and offer to fix all objects in
> the domain for this error.
>
> For further information and instructions how to fix the problem, see
> https://wiki.samba.org/index.php/Updating_Samba#Fixing_
> replPropertyMetaData_Attributes
>
> Linked attributes on deleted objects
> ------------------------------------
>
> In Active Directory, an object that has been tombstoned or recycled
> has no linked attributes. However, Samba incorrectly maintained such
> links, slowing replication and run-time performance. 'dbcheck' now
> offers to remove such links, and they are no longer kept after the
> object is tombstoned or recycled.
>
> Improved AD DC performance
> --------------------------
>
> Many other improvements have been made to our LDAP database layer in
> the AD DC, to improve performance, both during 'samba-tool domain
> provision' and at runtime.
>
> Other dbcheck improvements
> --------------------------
>
> - 'samba-tool dbcheck' can now find and fix a missing or corrupted
> 'deleted objects' container.
> - BUG 11433: samba-dbcheck no longer offers to resort auxiliary class
> values
> in objectClass as these were then re-sorted at the next dbcheck
> indefinitely.
>
> Tombstone Reanimation
> ---------------------
>
> Samba now supports tombstone reanimation, a feature in the AD DC
> allowing tombstones, that is objects which have been deleted, to be
> restored with the original SID and GUID still in place.
>
> Multiple DNS Forwarders on the AD DC
> ------------------------------------
>
> Previously, the Samba internal DNS server supported only one DNS forwarder.
> The "dns forwarder" option has been enhanced and now supports a
> space-separated
> list of multiple DNS server IP addresses. As a result, Samba is now able to
> fall back to alternative DNS servers. In case that a DNS query to the first
> server timed out, it is sent to the next DNS server listed in the option.
>
> Password quality plugin support in the AD DC
> --------------------------------------------
>
> The check password script now operates correctly in the AD DC.
>
> pwdLastSet is now correctly honoured
> ------------------------------------
>
> BUG 9654: The pwdLastSet attribute is now correctly handled (this
> previously
> permitted passwords that expire next).
>
> net ads dns unregister
> ----------------------
>
> It is now possible to remove the DNS entries created with 'net ads
> register'
> with the matching 'net ads unregister' command.
>
> samba-tool improvements
> ------------------------
>
> Running 'samba-tool' on the command line should now be a lot snappier. The
> tool
> now only loads the code specific to the subcommand that you wish to run.
>
> SMB 2.1 Leases enabled by default
> ---------------------------------
>
> Leasing is an SMB 2.1 (and higher) feature which allows clients to
> aggressively cache files locally above and beyond the caching allowed
> by SMB 1 oplocks. This feature was disabled in previous releases, but
> the SMB2 leasing code is now considered mature and stable enough to be
> enabled by default.
>
> Open File Description (OFD) Locks
> ---------------------------------
>
> On systems that support them (currently only Linux), the fileserver now
> uses Open File Description (OFD) locks instead of POSIX locks to implement
> client byte range locks. As these locks are associated with a specific
> file descriptor on a file this allows more efficient use when multiple
> descriptors having file locks are opened onto the same file. An internal
> tunable "smbd:force process locks = true" may be used to turn off OFD
> locks if there appear to be problems with them.
>
> Password sync as Active Directory domain controller
> ---------------------------------------------------
>
> The new commands 'samba-tool user getpassword'
> and 'samba-tool user syncpasswords' provide
> access and syncing of various password fields.
>
> If compiled with GPGME support (--with-gpgme) it's
> possible to store cleartext passwords in a PGP/OpenGPG
> encrypted form by configuring the new "password hash gpg key ids"
> option. This requires gpgme devel and python packages to be installed
> (e.g. libgpgme11-dev and python-gpgme on Debian/Ubuntu).
>
> Python crypto requirements
> --------------------------
>
> Some 'samba-tool' subcommands require python-crypto and/or
> python-m2crypto packages to be installed.
>
> SmartCard/PKINIT improvements
> -----------------------------
>
> 'samba-tool user create' accepts "--smartcard-required"
> and 'samba-tool user setpassword' accepts "--smartcard-required"
> and "--clear-smartcard-required".
>
> Specifying "--smartcard-required" results in the UF_SMARTCARD_REQUIRED
> flags being set in the userAccountControl attribute.
> At the same time, the account password is reset to a random
> NTHASH value.
>
> Interactive password logons are rejected, if the UF_SMARTCARD_REQUIRED
> bit is set in the userAccountControl attribute of a user.
>
> When doing a PKINIT based Kerberos logon the KDC adds the
> required PAC_CREDENTIAL_INFO element to the authorization data.
> That means the NTHASH is shared between the PKINIT based client and
> the domain controller, which allows the client to do NTLM based
> authentication on behalf of the user. It also allows an offline
> logon using a smartcard to work on Windows clients.
>
> CTDB changes
> ------------
>
> * New improved 'ctdb tool'
>
> 'ctdb tool' has been completely rewritten using new client API.
> Usage messages are much improved.
>
> * Sample CTDB configuration file is installed as ctdbd.conf.
>
> * The use of real-time scheduling when taking locks has been narrowed
> to limit potential performance impacts on nodes.
>
> * CTDB_RECOVERY_LOCK now supports specification of an external helper
> to take and hold the recovery lock.
>
> See the RECOVERY LOCK section in ctdb(7) for details. Documentation
> for writing helpers is provided in doc/cluster_mutex_helper.txt.
>
> * "ctdb natgwlist" has been replaced by a top level "ctdb natgw"
> command that has "master", "list" and "status" subcommands.
>
> * The 'onnode' command no longer supports the "recmaster", "lvs" and
> "natgw" node specifications.
>
> * Faster resetting of TCP connections to public IP addresses during
> failover.
>
> * Tunables MaxRedirectCount, ReclockPingPeriod,
> DeferredRebalanceOnNodeAdd are now obsolete/ignored.
>
> * "ctdb listvars" now lists all variables, including the first one.
>
> * "ctdb xpnn", "ctdb rebalanceip" and "ctdb rebalancenode" have been
> removed.
>
> These are not needed because "ctdb reloadips" should do the correct
> rebalancing.
>
> * Output for the following commands has been simplified:
>
> ctdb getdbseqnum
> ctdb getdebug
> ctdb getmonmode
> ctdb getpid
> ctdb getreclock
> ctdb getpid
> ctdb pnn
>
> These now simply print the requested output with no preamble. This
> means that scripts no longer need to strip part of the output.
>
> "ctdb getreclock" now prints nothing when the recovery lock is not
> set.
>
> * Output for the following commands has been improved:
>
> ctdb setdebug
> ctdb uptime
>
> * 'ctdb process-exists' has been updated to only take a PID argument.
>
> The PNN can be specified with -n <PNN>. Output also cleaned up.
>
> * LVS support has been reworked - related commands and configuration
> variables have changed.
>
> 'ctdb lvsmaster' and 'ctdb lvs' have been replaced by a top level
> 'ctdb lvs' command that has 'master', 'list' and 'status'
> subcommands.
>
> See the LVS sections in ctdb(7) and ctdbd.conf(5) for details,
> including configuration changes.
>
> * Improved sample NFS Ganesha call-out.
>
> New shadow_copy2 options
> ------------------------
>
> * shadow:snapprefix
>
> With growing number of snapshots file-systems need some mechanism to
> differentiate one set of snapshots from other, e.g. monthly, weekly,
> manual,
> special events, etc. Therefore, these file-systems provide different
> ways to tag
> snapshots, e.g. provide a configurable way to name snapshots, which is
> not just
> based on time. With only shadow:format it is very difficult to filter
> these
> snapshots. With this optional parameter, one can specify a variable
> prefix
> component for names of the snapshot directories in the file-system. If
> this
> parameter is set, together with the shadow:format and shadow:delimiter
> parameters it determines the possible names of snapshot directories in
> the
> file-system. The option only supports Basic Regular Expression (BRE).
>
> * shadow:delimiter
>
> This optional parameter is used as a delimiter between
> "shadow:snapprefix" and
> "shadow:format". This parameter is used only when "shadow:snapprefix" is
> set.
>
> Default: shadow:delimiter = "_GMT"
>
>
> REMOVED FEATURES
> ================
>
> "only user" and "username" parameters
> -------------------------------------
>
> These two parameters have long been deprecated and superseded by
> "valid users" and "invalid users".
>
>
> smb.conf changes
> ================
>
> Parameter Name Description Default
> -------------- ----------- -------
> kccsrv:samba_kcc Changed default yes
> ntlm auth Changed default no
> only user Removed
> password hash gpg key ids New
> shadow:snapprefix New
> shadow:delimiter New _GMT
> smb2 leases Changed default yes
> username Removed
>
>
> KNOWN ISSUES
> ============
>
> While a lot of schema replication bugs were fixed in this release
> Bug 12204 - Samba fails to replicate schema 69
> (https://bugzilla.samba.org/show_bug.cgi?id=12204) is still open.
> The replication fails if more than 133 schema objects are added
> at the same time.
>
> More open bugs are listed at:
> https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.5#All_bugs
>
>
> CHANGES SINCE 4.5.0rc3
> ======================
>
> o Björn Baumbach <bb at sernet.de>
> * BUG 12194: idmap_script: fix missing "IDTOSID" argument in scripts
> command line.
>
> o Andrew Bartlett <abartlet at samba.org>
> * BUG 12178: samba-tool dbcheck fails to fix replPropertyMetaData.
>
> o Ralph Boehme <slow at samba.org>
> * BUG 12177: Unexpected synthesized default ACL from vfs_acl_xattr.
> * BUG 12181: vfs_acl_common not setting filesystem permissions anymore.
> * BUG 12184: Loading shared RPC modules failed.
>
> o Günther Deschner <gd at samba.org>
> * BUG 12245: fix _spoolss_GetPrinterDataEx by moving the keyname
> length check.
>
> o Stefan Metzmacher <metze at samba.org>
> * BUG 11994: smbclient fails to connect to Azure or Apple share spnego
> fails with no mechListMIC.
>
> o Martin Schwenke <martin at meltin.net>
> * BUG 12180: CTDB crashes running eventscripts.
>
>
> CHANGES SINCE 4.5.0rc2
> ======================
>
> o Michael Adam <obnox at samba.org>
> * BUG 12155: Some idmap backends don't perform range checks for the
> result
> of sids_to_xids.
>
> o Jeremy Allison <jra at samba.org>
> * BUG 12115: Endless loop on drsuapi pull replication after schema
> changes.
> * BUG 12135: net ads gpo refresh can crash with null pointer deref..
> * BUG 12139: Race between break oplock and check for share_mode.
> * BUG 12150: SMB2 snapshot query fails on DFS shares..
> * BUG 12165: smbclient allinfo doesn't correctly return 'previous
> version'
> info over SMB1.
> * BUG 12166: smbclient allinfo doesn't correctly return 'previous
> version'
> info over SMB2.
> * BUG 12174: error: 'conn' undeclared.
>
> o Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
> * BUG 12143: misnamed attribute in samba_kcc causes exception in
> unusual
> circumstances.
> * BUG 12187: Backport changes for partial attribute set calculation
> for 4.5.
>
> o Andrew Bartlett <abartlet at samba.org>
> * BUG 12107: backport backupkey tests.
> * BUG 12115: Endless loop on drsuapi pull replication after schema
> changes.
> * BUG 12128: Correctly resolve replicated schema changes regarding
> linked
> attributes.
>
> o Amitay Isaacs <amitay at gmail.com>
> * BUG 12137: Fix printf format non-liternal warnings and printf
> format errors.
> * BUG 12138: Fix uninitialized timeout in ctdb_pmda.
> * BUG 12151: Drop resurrected ctdb commands in new ctdb tool.
> * BUG 12152: Fix ctdb addip; implementation to match ctdb delip.
> * BUG 12163: Fix missing arguments and format elements in format
> strings.
> * BUG 12168: Fix format-nonliteral warnings.
>
> o Stefan Metzmacher <metze at samba.org>
> * BUG 12108: Backport selftest/autobuild fixes to v4-5-test.
> * BUG 12114: In memory schema updated on non schema master.
> * BUG 12115: Endless loop on drsuapi pull replication after schema
> changes.
> * BUG 12128: Correctly resolve replicated schema changes regarding
> linked attributes.
> * BUG 12129: let samba-tool ldapcmp ignore whenChanged.
>
> o Garming Sam <garming at catalyst.net.nz>
> * BUG 12187: Backport changes for partial attribute set calculation
> for 4.5.
>
> o Andreas Schneider <asn at samba.org>
> * BUG 12175: smbget always prompts for a username.
>
> o Christof Schmitt <cs at samba.org>
> * BUG 12150: SMB2 snapshot query fails on DFS shares..
>
> o Martin Schwenke <martin at meltin.net>
> * BUG 12157: Coverity and related fixes.
> * BUG 12158: CTDB release IP fixes.
> * BUG 12161: Fix CTDB cumulative takeover timeout.
> * BUG 12170: CTDB test runs can kill each other's ctdbd daemons.
>
> o Uri Simchoni <uri at samba.org>
> * BUG 12145: smbd: if inherit owner is enabled, the free disk on a
> folder
> should take the owner's quota into account.
> * BUG 12149: smbd: cannot load a Windows device driver from a Samba
> share
> via SMB2.
> * BUG 12172: a snapshot folder cannot be accessed via SMB1.
>
>
> CHANGES SINCE 4.5.0rc1
> ======================
>
> o Ralph Boehme <slow at samba.org>
> * BUG 12005: parse_share_modes() chokes on ctdb tombstone record from
> ltdb.
> * BUG 12105: smbclient connection to not reachable IP eats 100% CPU.
>
> o Ira Cooper <ira at samba.org>
> * BUG 12133: source3/wscript: Add support for disabling vfs_cephfs.
>
> o Amitay Isaacs <amitay at gmail.com>
> * BUG 12121: ctdb-tools: Fix numerous Coverity IDs and other issues.
> * BUG 12122: If a transaction fails, it should be canceled and
> transaction
> handle should be freed.
> * BUG 12134: dbwrap: Fix structure initialization.
>
> o Marc Muehlfeld <mmuehlfeld at samba.org>
> * BUG 12023: man: Fix wrong option for parameter "ldap ssl" in smb.conf
> man page.
>
> o Andreas Schneider <asn at samba.org>
> * BUG 12104: ctdb-waf: Move ctdb tests to libexec directory.
>
> o Martin Schwenke <martin at meltin.net>
> * BUG 12104: ctdb-packaging: Move ctdb tests to libexec directory.
> * BUG 12109: Fixes several CTDB tests.
> * BUG 12110: Fix numerous Coverity IDs.
> * BUG 12113: ctdb-mutex: Avoid corner case where helper is already
> reparented to init.
> * BUG 12123: Fix ctdb tickle command and update documentation.
> * BUG 12125: CTDB overwrites working configuration due to packaging
> change.
> * BUG 12126: Fix broken CTDB log messages.
>
>
> #######################################
> Reporting bugs & Development Discussion
> #######################################
>
> Please discuss this release on the samba-technical mailing list or by
> joining the #samba-technical IRC channel on irc.freenode.net.
>
> If you do report problems then please try to send high quality
> feedback. If you don't provide vital information to help us track down
> the problem then you will probably be ignored. All bug reports should
> be filed under the Samba 4.1 and newer product in the project's Bugzilla
> database (https://bugzilla.samba.org/).
>
>
> ======================================================================
> == Our Code, Our Bugs, Our Responsibility.
> == The Samba Team
> ======================================================================
>
>
> ================
> Download Details
> ================
>
> The uncompressed tarballs and patch files have been signed
> using GnuPG (ID 6F33915B6568B7EA). The source code can be downloaded
> from:
>
> https://download.samba.org/pub/samba/stable/
>
> The release notes are available online at:
>
> https://www.samba.org/samba/history/samba-4.5.0.html
>
> Our Code, Our Bugs, Our Responsibility.
> (https://bugzilla.samba.org/)
>
> --Enjoy
> The Samba Team
>
More information about the samba-technical
mailing list