[Announce] Samba 4.5.0 Available for Download

Andrew Bartlett abartlet at samba.org
Wed Sep 7 19:40:45 UTC 2016


On Wed, 2016-09-07 at 09:31 -0600, Jeff Sadowski wrote:
> Does this push 4.2.x to discontinued?

Yes: https://wiki.samba.org/index.php/Samba_Release_Planning

> On Wed, Sep 7, 2016 at 9:06 AM, Stefan Metzmacher <metze at samba.org>
> wrote:
> 
> > 
> > ======================================================
> >                  "It does not matter how slowly you go
> >                   as long as you do not stop."
> > 
> >                  Confucius
> > ======================================================
> > 
> > 
> > Release Announcements
> > ---------------------
> > 
> > This is the first stable release of the Samba 4.5 release series.
> > 
> > 
> > UPGRADING
> > =========
> > 
> > NTLMv1 authentication disabled by default
> > -----------------------------------------
> > 
> > In order to improve security we have changed
> > the default value for the "ntlm auth" option from
> > "yes" to "no". This may have impact on very old
> > clients which doesn't support NTLMv2 yet.
> > 
> > The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.
> > 
> > By default, Samba will only allow NTLMv2 via NTLMSSP now,
> > as we have the following default "lanman auth = no",
> > "ntlm auth = no" and "raw NTLMv2 auth = no".
> > 
> > 
> > NEW FEATURES/CHANGES
> > ====================
> > 
> > Support for LDAP_SERVER_NOTIFICATION_OID
> > ----------------------------------------
> > 
> > The ldap server has support for the LDAP_SERVER_NOTIFICATION_OID
> > control. This can be used to monitor the Active Directory database
> > for changes.
> > 
> > KCC improvements for sparse network replication
> > -----------------------------------------------
> > 
> > The Samba KCC will now be the default knowledge consistency checker
> > in
> > Samba AD. Instead of using full mesh replication between every DC,
> > the
> > KCC will set up connections to optimize replication latency and
> > cost
> > (using site links to calculate the routes). This change should
> > allow
> > larger domains to function significantly better in terms of
> > replication
> > traffic and the time spent performing DRS replication.
> > 
> > VLV - Virtual List View
> > -----------------------
> > 
> > The VLV Control allows applications to page the LDAP directory in
> > the
> > way you might expect a live phone book application to operate,
> > without
> > first downloading the entire directory.
> > 
> > DRS Replication for the AD DC
> > -----------------------------
> > 
> > DRS Replication in Samba 4.5 is now much more efficient in handling
> > linked attributes, particularly in large domains with over 1000
> > group
> > memberships or other links.
> > 
> > Replication is also much more reliable in the handling of tree
> > renames, such as the rename of an organizational unit containing
> > many
> > users.  Extensive tests have been added to ensure this code remains
> > reliable, particularly in the case of conflicts between objects
> > added
> > with the same name on different servers.
> > 
> > Schema updates are also handled much more reliably.
> > 
> > samba-tool drs replicate with new options
> > -----------------------------------------
> > 
> > 'samba-tool drs replicate' got two new options:
> > 
> > The option '--local-online' will do the DsReplicaSync() via IRPC
> > to the local dreplsrv service.
> > 
> > The option '--async-op' will add DRSUAPI_DRS_ASYNC_OP to the
> > DsReplicaSync(), which won't wait for the replication result.
> > 
> > replPropertyMetaData Changes
> > ----------------------------
> > 
> > During the development of the DRS replication, tests showed that
> > Samba
> > stores the replPropertyMetaData object incorrectly. To address
> > this,
> > be aware that 'dbcheck' will now detect and offer to fix all
> > objects in
> > the domain for this error.
> > 
> > For further information and instructions how to fix the problem,
> > see
> > https://wiki.samba.org/index.php/Updating_Samba#Fixing_
> > replPropertyMetaData_Attributes
> > 
> > Linked attributes on deleted objects
> > ------------------------------------
> > 
> > In Active Directory, an object that has been tombstoned or recycled
> > has no linked attributes.  However, Samba incorrectly maintained
> > such
> > links, slowing replication and run-time performance.  'dbcheck' now
> > offers to remove such links, and they are no longer kept after the
> > object is tombstoned or recycled.
> > 
> > Improved AD DC performance
> > --------------------------
> > 
> > Many other improvements have been made to our LDAP database layer
> > in
> > the AD DC, to improve performance, both during 'samba-tool domain
> > provision' and at runtime.
> > 
> > Other dbcheck improvements
> > --------------------------
> > 
> >  - 'samba-tool dbcheck' can now find and fix a missing or corrupted
> >    'deleted objects' container.
> >  - BUG 11433: samba-dbcheck no longer offers to resort auxiliary
> > class
> > values
> >    in objectClass as these were then re-sorted at the next dbcheck
> > indefinitely.
> > 
> > Tombstone Reanimation
> > ---------------------
> > 
> > Samba now supports tombstone reanimation, a feature in the AD DC
> > allowing tombstones, that is objects which have been deleted, to be
> > restored with the original SID and GUID still in place.
> > 
> > Multiple DNS Forwarders on the AD DC
> > ------------------------------------
> > 
> > Previously, the Samba internal DNS server supported only one DNS
> > forwarder.
> > The "dns forwarder" option has been enhanced and now supports a
> > space-separated
> > list of multiple DNS server IP addresses. As a result, Samba is now
> > able to
> > fall back to alternative DNS servers. In case that a DNS query to
> > the first
> > server timed out, it is sent to the next DNS server listed in the
> > option.
> > 
> > Password quality plugin support in the AD DC
> > --------------------------------------------
> > 
> > The check password script now operates correctly in the AD DC.
> > 
> > pwdLastSet is now correctly honoured
> > ------------------------------------
> > 
> > BUG 9654: The pwdLastSet attribute is now correctly handled (this
> > previously
> > permitted passwords that expire next).
> > 
> > net ads dns unregister
> > ----------------------
> > 
> > It is now possible to remove the DNS entries created with 'net ads
> > register'
> > with the matching 'net ads unregister' command.
> > 
> > samba-tool improvements
> > ------------------------
> > 
> > Running 'samba-tool' on the command line should now be a lot
> > snappier. The
> > tool
> > now only loads the code specific to the subcommand that you wish to
> > run.
> > 
> > SMB 2.1 Leases enabled by default
> > ---------------------------------
> > 
> > Leasing is an SMB 2.1 (and higher) feature which allows clients to
> > aggressively cache files locally above and beyond the caching
> > allowed
> > by SMB 1 oplocks. This feature was disabled in previous releases,
> > but
> > the SMB2 leasing code is now considered mature and stable enough to
> > be
> > enabled by default.
> > 
> > Open File Description (OFD) Locks
> > ---------------------------------
> > 
> > On systems that support them (currently only Linux), the fileserver
> > now
> > uses Open File Description (OFD) locks instead of POSIX locks to
> > implement
> > client byte range locks. As these locks are associated with a
> > specific
> > file descriptor on a file this allows more efficient use when
> > multiple
> > descriptors having file locks are opened onto the same file. An
> > internal
> > tunable "smbd:force process locks = true" may be used to turn off
> > OFD
> > locks if there appear to be problems with them.
> > 
> > Password sync as Active Directory domain controller
> > ---------------------------------------------------
> > 
> > The new commands 'samba-tool user getpassword'
> > and 'samba-tool user syncpasswords' provide
> > access and syncing of various password fields.
> > 
> > If compiled with GPGME support (--with-gpgme) it's
> > possible to store cleartext passwords in a PGP/OpenGPG
> > encrypted form by configuring the new "password hash gpg key ids"
> > option. This requires gpgme devel and python packages to be
> > installed
> > (e.g. libgpgme11-dev and python-gpgme on Debian/Ubuntu).
> > 
> > Python crypto requirements
> > --------------------------
> > 
> > Some 'samba-tool' subcommands require python-crypto and/or
> > python-m2crypto packages to be installed.
> > 
> > SmartCard/PKINIT improvements
> > -----------------------------
> > 
> > 'samba-tool user create' accepts "--smartcard-required"
> > and 'samba-tool user setpassword' accepts "--smartcard-required"
> > and "--clear-smartcard-required".
> > 
> > Specifying "--smartcard-required" results in the
> > UF_SMARTCARD_REQUIRED
> > flags being set in the userAccountControl attribute.
> > At the same time, the account password is reset to a random
> > NTHASH value.
> > 
> > Interactive password logons are rejected, if the
> > UF_SMARTCARD_REQUIRED
> > bit is set in the userAccountControl attribute of a user.
> > 
> > When doing a PKINIT based Kerberos logon the KDC adds the
> > required PAC_CREDENTIAL_INFO element to the authorization data.
> > That means the NTHASH is shared between the PKINIT based client and
> > the domain controller, which allows the client to do NTLM based
> > authentication on behalf of the user. It also allows an offline
> > logon using a smartcard to work on Windows clients.
> > 
> > CTDB changes
> > ------------
> > 
> > * New improved 'ctdb tool'
> > 
> >   'ctdb tool' has been completely rewritten using new client API.
> >   Usage messages are much improved.
> > 
> > * Sample CTDB configuration file is installed as ctdbd.conf.
> > 
> > * The use of real-time scheduling when taking locks has been
> > narrowed
> >   to limit potential performance impacts on nodes.
> > 
> > * CTDB_RECOVERY_LOCK now supports specification of an external
> > helper
> >   to take and hold the recovery lock.
> > 
> >   See the RECOVERY LOCK section in ctdb(7) for
> > details.  Documentation
> >   for writing helpers is provided in doc/cluster_mutex_helper.txt.
> > 
> > * "ctdb natgwlist" has been replaced by a top level "ctdb natgw"
> >   command that has "master", "list" and "status" subcommands.
> > 
> > * The 'onnode' command no longer supports the "recmaster", "lvs"
> > and
> >   "natgw" node specifications.
> > 
> > * Faster resetting of TCP connections to public IP addresses during
> >   failover.
> > 
> > * Tunables MaxRedirectCount, ReclockPingPeriod,
> >   DeferredRebalanceOnNodeAdd are now obsolete/ignored.
> > 
> > * "ctdb listvars" now lists all variables, including the first one.
> > 
> > * "ctdb xpnn", "ctdb rebalanceip" and "ctdb rebalancenode" have
> > been
> >   removed.
> > 
> >   These are not needed because "ctdb reloadips" should do the
> > correct
> >   rebalancing.
> > 
> > * Output for the following commands has been simplified:
> > 
> >     ctdb getdbseqnum
> >     ctdb getdebug
> >     ctdb getmonmode
> >     ctdb getpid
> >     ctdb getreclock
> >     ctdb getpid
> >     ctdb pnn
> > 
> >   These now simply print the requested output with no
> > preamble.  This
> >   means that scripts no longer need to strip part of the output.
> > 
> >   "ctdb getreclock" now prints nothing when the recovery lock is
> > not
> >   set.
> > 
> > * Output for the following commands has been improved:
> > 
> >   ctdb setdebug
> >   ctdb uptime
> > 
> > * 'ctdb process-exists' has been updated to only take a PID
> > argument.
> > 
> >   The PNN can be specified with -n <PNN>.  Output also cleaned up.
> > 
> > * LVS support has been reworked - related commands and
> > configuration
> >   variables have changed.
> > 
> >   'ctdb lvsmaster' and 'ctdb lvs' have been replaced by a top level
> >   'ctdb lvs' command that has 'master', 'list' and 'status'
> >   subcommands.
> > 
> >   See the LVS sections in ctdb(7) and ctdbd.conf(5) for details,
> >   including configuration changes.
> > 
> > * Improved sample NFS Ganesha call-out.
> > 
> > New shadow_copy2 options
> > ------------------------
> > 
> > * shadow:snapprefix
> > 
> >   With growing number of snapshots file-systems need some mechanism
> > to
> >   differentiate one set of snapshots from other, e.g. monthly,
> > weekly,
> > manual,
> >   special events, etc. Therefore, these file-systems provide
> > different
> > ways to tag
> >   snapshots, e.g. provide a configurable way to name snapshots,
> > which is
> > not just
> >   based on time.  With only shadow:format it is very difficult to
> > filter
> > these
> >   snapshots. With this optional parameter, one can specify a
> > variable
> > prefix
> >   component for names of the snapshot directories in the file-
> > system. If
> > this
> >   parameter is set, together with the shadow:format and
> > shadow:delimiter
> >   parameters it determines the possible names of snapshot
> > directories in
> > the
> >   file-system. The option only supports Basic Regular Expression
> > (BRE).
> > 
> > * shadow:delimiter
> > 
> >   This optional parameter is used as a delimiter between
> > "shadow:snapprefix" and
> >   "shadow:format". This parameter is used only when
> > "shadow:snapprefix" is
> > set.
> > 
> >   Default: shadow:delimiter = "_GMT"
> > 
> > 
> > REMOVED FEATURES
> > ================
> > 
> > "only user" and "username" parameters
> > -------------------------------------
> > 
> > These two parameters have long been deprecated and superseded by
> > "valid users" and "invalid users".
> > 
> > 
> > smb.conf changes
> > ================
> > 
> >   Parameter Name                Description             Default
> >   --------------                -----------             -------
> >   kccsrv:samba_kcc              Changed default         yes
> >   ntlm auth                     Changed default         no
> >   only user                     Removed
> >   password hash gpg key ids     New
> >   shadow:snapprefix             New
> >   shadow:delimiter              New                     _GMT
> >   smb2 leases                   Changed default         yes
> >   username                      Removed
> > 
> > 
> > KNOWN ISSUES
> > ============
> > 
> > While a lot of schema replication bugs were fixed in this release
> > Bug 12204 - Samba fails to replicate schema 69
> > (https://bugzilla.samba.org/show_bug.cgi?id=12204) is still open.
> > The replication fails if more than 133 schema objects are added
> > at the same time.
> > 
> > More open bugs are listed at:
> > https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.5#All
> > _bugs
> > 
> > 
> > CHANGES SINCE 4.5.0rc3
> > ======================
> > 
> > o   Björn Baumbach <bb at sernet.de>
> >     * BUG 12194: idmap_script: fix missing "IDTOSID" argument in
> > scripts
> >       command line.
> > 
> > o   Andrew Bartlett <abartlet at samba.org>
> >     * BUG 12178: samba-tool dbcheck fails to fix
> > replPropertyMetaData.
> > 
> > o   Ralph Boehme <slow at samba.org>
> >     * BUG 12177: Unexpected synthesized default ACL from
> > vfs_acl_xattr.
> >     * BUG 12181: vfs_acl_common not setting filesystem permissions
> > anymore.
> >     * BUG 12184: Loading shared RPC modules failed.
> > 
> > o   Günther Deschner <gd at samba.org>
> >     * BUG 12245: fix _spoolss_GetPrinterDataEx by moving the
> > keyname
> >       length check.
> > 
> > o   Stefan Metzmacher <metze at samba.org>
> >     * BUG 11994: smbclient fails to connect to Azure or Apple share
> > spnego
> >       fails with no mechListMIC.
> > 
> > o   Martin Schwenke <martin at meltin.net>
> >     * BUG 12180: CTDB crashes running eventscripts.
> > 
> > 
> > CHANGES SINCE 4.5.0rc2
> > ======================
> > 
> > o   Michael Adam <obnox at samba.org>
> >     * BUG 12155: Some idmap backends don't perform range checks for
> > the
> > result
> >       of sids_to_xids.
> > 
> > o   Jeremy Allison <jra at samba.org>
> >     * BUG 12115: Endless loop on drsuapi pull replication after
> > schema
> > changes.
> >     * BUG 12135: net ads gpo refresh can crash with null pointer
> > deref..
> >     * BUG 12139: Race between break oplock and check for
> > share_mode.
> >     * BUG 12150: SMB2 snapshot query fails on DFS shares..
> >     * BUG 12165: smbclient allinfo doesn't correctly return
> > 'previous
> > version'
> >       info over SMB1.
> >     * BUG 12166: smbclient allinfo doesn't correctly return
> > 'previous
> > version'
> >       info over SMB2.
> >     * BUG 12174: error: 'conn' undeclared.
> > 
> > o   Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
> >     * BUG 12143: misnamed attribute in samba_kcc causes exception
> > in
> > unusual
> >       circumstances.
> >     * BUG 12187: Backport changes for partial attribute set
> > calculation
> >       for 4.5.
> > 
> > o   Andrew Bartlett <abartlet at samba.org>
> >     * BUG 12107: backport backupkey tests.
> >     * BUG 12115: Endless loop on drsuapi pull replication after
> > schema
> > changes.
> >     * BUG 12128: Correctly resolve replicated schema changes
> > regarding
> > linked
> >       attributes.
> > 
> > o   Amitay Isaacs <amitay at gmail.com>
> >     * BUG 12137: Fix printf format non-liternal warnings and printf
> >       format errors.
> >     * BUG 12138: Fix uninitialized timeout in ctdb_pmda.
> >     * BUG 12151: Drop resurrected ctdb commands in new ctdb tool.
> >     * BUG 12152: Fix ctdb addip; implementation to match ctdb
> > delip.
> >     * BUG 12163: Fix missing arguments and format elements in
> > format
> > strings.
> >     * BUG 12168: Fix format-nonliteral warnings.
> > 
> > o   Stefan Metzmacher <metze at samba.org>
> >     * BUG 12108: Backport selftest/autobuild fixes to v4-5-test.
> >     * BUG 12114: In memory schema updated on non schema master.
> >     * BUG 12115: Endless loop on drsuapi pull replication after
> > schema
> > changes.
> >     * BUG 12128: Correctly resolve replicated schema changes
> > regarding
> >       linked attributes.
> >     * BUG 12129: let samba-tool ldapcmp ignore whenChanged.
> > 
> > o   Garming Sam <garming at catalyst.net.nz>
> >     * BUG 12187: Backport changes for partial attribute set
> > calculation
> >       for 4.5.
> > 
> > o   Andreas Schneider <asn at samba.org>
> >     * BUG 12175: smbget always prompts for a username.
> > 
> > o   Christof Schmitt <cs at samba.org>
> >     * BUG 12150: SMB2 snapshot query fails on DFS shares..
> > 
> > o   Martin Schwenke <martin at meltin.net>
> >     * BUG 12157: Coverity and related fixes.
> >     * BUG 12158: CTDB release IP fixes.
> >     * BUG 12161: Fix CTDB cumulative takeover timeout.
> >     * BUG 12170: CTDB test runs can kill each other's ctdbd
> > daemons.
> > 
> > o   Uri Simchoni <uri at samba.org>
> >     * BUG 12145: smbd: if inherit owner is enabled, the free disk
> > on a
> > folder
> >       should take the owner's quota into account.
> >     * BUG 12149: smbd: cannot load a Windows device driver from a
> > Samba
> > share
> >       via SMB2.
> >     * BUG 12172: a snapshot folder cannot be accessed via SMB1.
> > 
> > 
> > CHANGES SINCE 4.5.0rc1
> > ======================
> > 
> > o   Ralph Boehme <slow at samba.org>
> >     * BUG 12005: parse_share_modes() chokes on ctdb tombstone
> > record from
> > ltdb.
> >     * BUG 12105: smbclient connection to not reachable IP eats 100%
> > CPU.
> > 
> > o   Ira Cooper <ira at samba.org>
> >     * BUG 12133: source3/wscript: Add support for disabling
> > vfs_cephfs.
> > 
> > o   Amitay Isaacs <amitay at gmail.com>
> >     * BUG 12121: ctdb-tools: Fix numerous Coverity IDs and other
> > issues.
> >     * BUG 12122: If a transaction fails, it should be canceled and
> > transaction
> >       handle should be freed.
> >     * BUG 12134: dbwrap: Fix structure initialization.
> > 
> > o   Marc Muehlfeld <mmuehlfeld at samba.org>
> >     * BUG 12023: man: Fix wrong option for parameter "ldap ssl" in
> > smb.conf
> >       man page.
> > 
> > o   Andreas Schneider <asn at samba.org>
> >     * BUG 12104: ctdb-waf: Move ctdb tests to libexec directory.
> > 
> > o   Martin Schwenke <martin at meltin.net>
> >     * BUG 12104: ctdb-packaging: Move ctdb tests to libexec
> > directory.
> >     * BUG 12109: Fixes several CTDB tests.
> >     * BUG 12110: Fix numerous Coverity IDs.
> >     * BUG 12113: ctdb-mutex: Avoid corner case where helper is
> > already
> >       reparented to init.
> >     * BUG 12123: Fix ctdb tickle command and update documentation.
> >     * BUG 12125: CTDB overwrites working configuration due to
> > packaging
> >       change.
> >     * BUG 12126: Fix broken CTDB log messages.
> > 
> > 
> > #######################################
> > Reporting bugs & Development Discussion
> > #######################################
> > 
> > Please discuss this release on the samba-technical mailing list or
> > by
> > joining the #samba-technical IRC channel on irc.freenode.net.
> > 
> > If you do report problems then please try to send high quality
> > feedback. If you don't provide vital information to help us track
> > down
> > the problem then you will probably be ignored.  All bug reports
> > should
> > be filed under the Samba 4.1 and newer product in the project's
> > Bugzilla
> > database (https://bugzilla.samba.org/).
> > 
> > 
> > ===================================================================
> > ===
> > == Our Code, Our Bugs, Our Responsibility.
> > == The Samba Team
> > ===================================================================
> > ===
> > 
> > 
> > ================
> > Download Details
> > ================
> > 
> > The uncompressed tarballs and patch files have been signed
> > using GnuPG (ID 6F33915B6568B7EA).  The source code can be
> > downloaded
> > from:
> > 
> >         https://download.samba.org/pub/samba/stable/
> > 
> > The release notes are available online at:
> > 
> >         https://www.samba.org/samba/history/samba-4.5.0.html
> > 
> > Our Code, Our Bugs, Our Responsibility.
> > (https://bugzilla.samba.org/)
> > 
> >                         --Enjoy
> >                         The Samba Team
> > 
> 
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba




More information about the samba-technical mailing list