[PATCH 1/2] WHATSNEW: move winbind changes to UPGRADING section

[Björn Jacke]

Signed-off-by: Bjoern Jacke <bj at sernet.de>
---
 WHATSNEW.txt | 54 +++++++++++++++++++++++++++---------------------------
 1 file changed, 27 insertions(+), 27 deletions(-)

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index a2f647a..26e933ee 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -12,6 +12,33 @@ Samba 4.6 will be the next version of the Samba suite.
 UPGRADING
 =========
 
+winbind changes
+---------------
+
+4.6 winbind simplifies the calculation of supplementary groups to make
+it more reliable and predictable. Before 4.6, winbind contained code
+that tried to emulate the group membership calculation that domain
+controllers do when a user logs in. This group membership calculation
+is a very complex process, in particular for domain trust relationship
+situations. Also, in many scenarios it is impossible for winbind to
+correctly do this calculation due to access restrictions in the
+domains: winbind using its machine account simply does not have the
+rights to ask for an arbitrary user's group memberships.
+
+When a user logs in to a Samba server, the domain controller correctly
+calculates the user's group memberships authoritatively and makes the
+information available to the Samba server. This is the only reliable
+way Samba can get informed about the groups a user is member of.
+
+Because of its flakiness, the fallback group membership code was
+removed.
+
+This means that "id <username>" without the user having logged in
+previously stops showing any supplementary groups. Also, it will show
+"DOMAIN\Domain Users" as the primary group. Once the user has logged
+in, "id <username>" will correctly show the primary group and
+supplementary group list.
+
 vfs_fruit option "fruit:resource" spelling correction
 -----------------------------------------------------
 
@@ -203,33 +230,6 @@ CTDB changes
   To build/install these, use the --enable-etcd-reclock and
   --enable-ceph-reclock configure options.
 
-winbind changes
----------------
-
-4.6 winbind simplifies the calculation of supplementary groups to make
-it more reliable and predictable. Before 4.6, winbind contained code
-that tried to emulate the group membership calculation that domain
-controllers do when a user logs in. This group membership calculation
-is a very complex process, in particular for domain trust relationship
-situations. Also, in many scenarios it is impossible for winbind to
-correctly do this calculation due to access restrictions in the
-domains: winbind using its machine account simply does not have the
-rights to ask for an arbitrary user's group memberships.
-
-When a user logs in to a Samba server, the domain controller correctly
-calculates the user's group memberships authoritatively and makes the
-information available to the Samba server. This is the only reliable
-way Samba can get informed about the groups a user is member of.
-
-Because of its flakiness, the fallback group membership code was
-removed.
-
-This means that "id <username>" without the user having logged in
-previously stops showing any supplementary groups. Also, it will show
-"DOMAIN\Domain Users" as the primary group. Once the user has logged
-in, "id <username>" will correctly show the primary group and
-supplementary group list.
-
 winbind primary group and nss info
 ----------------------------------
 
-- 
2.7.4