Samba 4.9.0 file name changes
Rowland Penny
rpenny at samba.org
Fri Sep 14 12:12:40 UTC 2018
On Fri, 14 Sep 2018 14:01:22 +0200
"L.P.H. van Belle via samba-technical"
<samba-technical at lists.samba.org> wrote:
> Question.
>
> I noticed a lot of filename changes while creating the debian
> packages.
>
> Things like :
> usr/bin/eventlogadm change to usr/sbin/eventlogadm
>
> usr/sbin/samba_gpoupdate change to usr/sbin/samba-gpupdate
>
> Or usr/lib/*/ctdb/ctdb_event changed to usr/lib/*/ctdb/ctdb-event
> usr/lib/*/ctdb/ctdb_eventd changed to usr/lib/*/ctdb/ctdb-eventd
>
> And usr/share/man/man5/ctdbd.conf.5 usr/share/man/man5/ctdb.conf.5
> For example.
>
> Are these "name" changes intended?
Yes, if look carefully in the release message below, they are all
there ;-)
Rowland
> Just to be sure here.
>
> Greetz,
>
> Louis
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba-technical
> > [mailto:samba-technical-bounces at lists.samba.org] Namens
> > Karolin Seeger via samba-technical
> > Verzonden: donderdag 13 september 2018 12:19
> > Aan: samba-announce at lists.samba.org; samba at lists.samba.org;
> > samba-technical at lists.samba.org
> > Onderwerp: [Announce] Samba 4.9.0 Available for Download
> >
> > ========================================================
> > "Former police chief of Houston once
> > said of me: ?Frank Abagnale could write
> > a check on toilet paper, drawn on the
> > Confederate States Treasury, sign it
> > ?U.R. Hooked? and cash it at any bank
> > in town, using a Hong Kong driver?s
> > license for identification.?
> >
> > Frank W. Abagnale, Catch Me If You Can:
> > The True Story of a Real Fake
> > ========================================================
> >
> >
> > Release Announcements
> > ---------------------
> >
> > =============================
> >
> > Release Notes for Samba 4.9.0
> >
> > September 13, 2018
> > =============================
> >
> >
> > This is the first stable release of the Samba 4.9 release series.
> > Please read the release notes carefully before upgrading.
> >
> >
> > NEW FEATURES/CHANGES
> > ====================
> >
> > 'net ads setspn'
> > ----------------
> >
> > There is a new 'net ads setspn' sub command for managing
> > Windows SPN(s)
> > on the AD. This command aims to give the basic functionality that is
> > provided on windows by 'setspn.exe' e.g. ability to add,
> > delete and list
> > Windows SPN(s) stored in a Windows AD Computer object.
> >
> > The format of the command is:
> >
> > net ads setspn list [machine]
> > net ads setspn [add | delete ] SPN [machine]
> >
> > 'machine' is the name of the computer account on the AD that
> > is to be managed.
> > If 'machine' is not specified the name of the 'client'
> > running the command
> > is used instead.
> >
> > The format of a Windows SPN is
> > 'serviceclass/host:port/servicename' (servicename and port
> > are optional)
> >
> > serviceclass/host is generally sufficient to specify a host
> > based service.
> >
> > 'net ads keytab' changes
> > ------------------------
> >
> > net ads keytab add no longer attempts to convert the passed
> > serviceclass
> > (e.g. nfs, html etc.) into a Windows SPN which is added to
> > the Windows AD
> > computer object. By default just the keytab file is modified.
> >
> > A new keytab subcommand 'add_update_ads' has been added to
> > preserve the
> > legacy behaviour. However the new 'net ads setspn add'
> > subcommand should
> > really be used instead.
> >
> > net ads keytab create no longer tries to generate SPN(s) from
> > existing entries in a keytab file. If it is required to add Windows
> > SPN(s) then 'net ads setspn add' should be used instead.
> >
> > Local authorization plugin for MIT Kerberos
> > -------------------------------------------
> >
> > This plugin controls the relationship between Kerberos
> > principals and AD
> > accounts through winbind. The module receives the Kerberos
> > principal and the
> > local account name as inputs and can then check if they
> > match. This can resolve
> > issues with canonicalized names returned by Kerberos within
> > AD. If the user
> > tries to log in as 'alice', but the samAccountName is set to
> > ALICE (uppercase),
> > Kerberos would return ALICE as the username. Kerberos would
> > not be able to map
> > 'alice' to 'ALICE' in this case and auth would fail. With
> > this plugin, account
> > names can be correctly mapped. This only applies to GSSAPI
> > authentication,
> > not for getting the initial ticket granting ticket.
> >
> > VFS audit modules
> > -----------------
> >
> > The vfs_full_audit module has changed its default set of
> > monitored successful
> > and failed operations from "all" to "none". That helps to
> > prevent potential
> > denial of service caused by simple addition of the module to
> > the VFS objects.
> >
> > Also, modules vfs_audit, vfs_ext_audit and vfs_full_audit now
> > accept any valid
> > syslog(3) facility, in accordance with the manual page.
> >
> > Database audit support
> > ----------------------
> >
> > Changes to the Samba AD's sam.ldb database are now logged to
> > Samba's debug log
> > under the "dsdb_audit" debug class and "dsdb_json_audit" for
> > JSON formatted log
> > entries.
> >
> > Transaction commits and roll backs are now logged to Samba's
> > debug logs under
> > the "dsdb_transaction_audit" debug class and
> > "dsdb_transaction_json_audit" for
> > JSON formatted log entries.
> >
> > Password change audit support
> > -----------------------------
> >
> > Password changes in the AD DC are now logged to Samba's debug
> > logs under the
> > "dsdb_password_audit" debug class and
> > "dsdb_password_json_audit" for JSON
> > formatted log entries.
> >
> > Group membership change audit support
> > -------------------------------------
> >
> > Group membership changes on the AD DC are now logged to
> > Samba's debug log under the "dsdb_group_audit" debug class and
> > "dsdb_group_json_audit" for JSON formatted log entries.
> >
> > Log Authentication duration
> > ---------------------------
> >
> > For NTLM and Kerberos KDC authentication, the authentication
> > duration is now
> > logged. Note that the duration is only included in the JSON
> > formatted log
> > entries.
> >
> > JSON library Jansson required for the AD DC
> > -------------------------------------------
> >
> > By default, the Jansson JSON library is required for Samba to build.
> > It is strictly required for the Samba AD DC, and is optional for
> > builds "--without-ad-dc" by specifying "--without-json-audit"
> > at configure
> > time.
> >
> > New experimental LMDB LDB backend
> > ---------------------------------
> >
> > A new experimental LDB backend using LMDB is now available.
> > This allows
> > databases larger than 4Gb (Currently the limit is set to 6Gb,
> > but this will be
> > increased in a future release). To enable lmdb, provision or
> > join a domain using
> > the "--backend-store=mdb" option.
> >
> > This requires that a version of lmdb greater than 0.9.16 is
> > installed and that
> > samba has not been built with the "--without-ldb-lmdb" option.
> >
> > Please note this is an experimental feature and is not recommended
> > for production deployments.
> >
> > Password Settings Objects
> > -------------------------
> >
> > Support has been added for Password Settings Objects (PSOs).
> > This AD feature is
> > also known as Fine-Grained Password Policies (FGPP).
> >
> > PSOs allow AD administrators to override the domain password
> > policy settings
> > for specific users, or groups of users. For example, PSOs can
> > force certain
> > users to have longer password lengths, or relax the
> > complexity constraints for
> > other users, and so on. PSOs can be applied to groups or to
> > individual users.
> > When multiple PSOs apply to the same user, essentially the
> > PSO with the best
> > precedence takes effect.
> >
> > PSOs can be configured and applied to users/groups using the
> > 'samba-tool domain
> > passwordsettings pso' set of commands.
> >
> > Domain backup and restore
> > -------------------------
> >
> > A new 'samba-tool' subcommand has been added that allows
> > administrators to
> > create a backup-file of their domain DB. In the event of a
> > catastrophic failure
> > of the domain, this backup-file can be used to restore Samba
> > services.
> >
> > The new 'samba-tool domain backup online' command takes a
> > snapshot of the
> > domain DB from a given DC. In the event of a catastrophic DB
> > failure, all DCs
> > in the domain should be taken offline, and the backup-file
> > can then be used to
> > recreate a fresh new DC, using the 'samba-tool domain backup
> > restore' command.
> > Once the backed-up domain DB has been restored on the new DC,
> > other DCs can
> > then subsequently be joined to the new DC, in order to
> > repopulate the Samba
> > network.
> >
> > Domain rename tool
> > ------------------
> >
> > Basic support has been added for renaming a Samba domain. The
> > rename feature is
> > designed for the following cases:
> > 1). Running a temporary alternate domain, in the event of a
> > catastrophic
> > failure of the regular domain. Using a completely different
> > domain name and
> > realm means that the original domain and the renamed domain
> > can both run at the
> > same time, without interfering with each other. This is an
> > advantage over
> > creating a regular 'online' backup - it means the
> > renamed/alternate domain can
> > provide core Samba network services, while trouble-shooting
> > the fault on the
> > original domain can be done in parallel.
> > 2). Creating a realistic lab domain or pre-production domain
> > for testing.
> >
> > Note that the renamed tool is currently not intended to
> > support a long-term
> > rename of the production domain. Currently renaming the GPOs
> > is not supported
> > and would need to be done manually.
> >
> > The domain rename is done in two steps: first, the
> > 'samba-tool domain backup
> > rename' command will clone the domain DB, renaming it in the
> > process, and
> > producing a backup-file. Then, the 'samba-tool domain backup
> > restore' command
> > takes the backup-file and restores the renamed DB to disk on
> > a fresh DC.
> >
> > New samba-tool options for diagnosing DRS replication issues
> > ------------------------------------------------------------
> >
> > The 'samba-tool drs showrepl' command has two new options
> > controlling the output. With --summary, the command says very
> > little when DRS replication is working well. With --json, JSON is
> > produced. These options are intended for human and machine
> > audiences, respectively.
> >
> > The 'samba-tool visualize uptodateness' visualizes replication lag
> > as a heat-map matrix based on the DRS uptodateness vectors. This
> > will show you if (but not why) changes are failing to replicate to
> > some DCs.
> >
> > Automatic site coverage and GetDCName improvements
> > --------------------------------------------------
> >
> > Samba's AD DC now automatically claims otherwise empty sites based
> > on which DC is the nearest in the replication topology.
> >
> > This, combined with efforts to correctly identify the client side in
> > the GetDCName Netlogon call will improve service to sites without a
> > local DC.
> >
> > Improved 'samba-tool computer' command
> > --------------------------------------
> >
> > The 'samba-tool computer' command allow manipulation of computer
> > accounts including creating a new computer and resetting the
> > password. This allows an 'offline join' of a member server or
> > workstation to the Samba AD domain.
> >
> > New 'samba-tool ou' command
> > ---------------------------
> >
> > The new 'samba-tool ou' command allows to manage organizational
> > units.
> >
> > Available subcommands are:
> > create - Create an organizational unit.
> > delete - Delete an organizational unit.
> > list - List all organizational units
> > listobjects - List all objects in an organizational unit.
> > move - Move an organizational unit.
> > rename - Rename an organizational unit.
> >
> > In addition to the ou commands, there are new subcommands for the
> > user and group management, which can make use of the organizational
> > units: group move - Move a group to an organizational
> > unit/container. user move - Move a user to an organizational
> > unit/container. user show - Display a user AD object.
> >
> > Samba performance tool now operates against Microsoft Windows AD
> > ----------------------------------------------------------------
> >
> > The Samba AD performance testing tool 'traffic_reply' can now
> > operate against a Windows based AD domain. Previously it only
> > operated correctly against Samba.
> >
> > DNS entries are now cleaned up during DC demote
> > -----------------------------------------------
> >
> > DNS records are now cleaned up as part of the 'samba-tool domain
> > demote' including both the default and '--remove-other-dead-server'
> > modes.
> >
> > Additionally, DNS records can be automatically cleaned up for a
> > given name with the 'samba-tool dns cleanup' command, which aids in
> > cleaning up partially removed DCs.
> >
> > samba-tool ntacl sysvolreset is now much faster
> > -----------------------------------------------
> >
> > The 'samba-tool ntacl sysvolreset' command, used on the Samba AD DC,
> > is now much faster than in previous versions, after an internal
> > rework.
> >
> > Samba now tested with CI GitLab
> > -------------------------------
> >
> > Samba developers now have pre-commit testing available in GitLab,
> > giving reviewers confidence that the submitted patches pass a full
> > CI before being submitted to the Samba Team's own autobuild system.
> >
> > Dynamic DNS record scavenging support
> > -------------------------------------
> >
> > It is now possible to enable scavenging of DNS Zones to remove DNS
> > records that were dynamically created and have not been touched in
> > some time.
> >
> > This support should however only be enabled on new zones or new
> > installations. Sadly old Samba versions suffer from BUG 12451 and
> > mark dynamic DNS records as static and static records as dynamic.
> > While a dbcheck rule may be able to find these in the future,
> > currently a reliable test has not been devised.
> >
> > Finally, there is not currently a command-line tool to enable this
> > feature, currently it should be enabled from the DNS Manager tool
> > from Windows. Also the feature needs to have been enabled by
> > setting the smb.conf
> > parameter "dns zone scavenging = yes".
> >
> > Improved support for trusted domains (as AD DC)
> > -----------------------------------------------
> >
> > The support for trusted domains/forests has been further improved.
> >
> > External domain trusts, as well a transitive forest trusts,
> > are supported in both directions (inbound and outbound)
> > for Kerberos and NTLM authentication.
> >
> > The following features are new in 4.9 (compared to 4.8):
> >
> > - It's now possible to add users/groups of a trusted domain
> > into domain groups. The group memberships are expanded
> > on trust boundaries.
> > - foreignSecurityPrincipal objects (FPO) are now automatically
> > created when members (as SID) of a trusted domain/forest
> > are added to a group.
> > - The 'samba-tool group *members' commands allow
> > members to be specified as foreign SIDs.
> >
> > However there are currently still a few limitations:
> >
> > - Both sides of the trust need to fully trust each other!
> > - No SID filtering rules are applied at all!
> > - This means DCs of domain A can grant domain admin rights
> > in domain B.
> > - Selective (CROSS_ORGANIZATION) authentication is
> > not supported. It's possible to create such a trust,
> > but the KDC and winbindd ignore them.
> > - Samba can still only operate in a forest with just
> > one single domain.
> >
> > CTDB changes
> > ------------
> >
> > There are many changes to CTDB in this release.
> >
> > * Configuration has been completely overhauled
> >
> > - Daemon and tool options are now specified in a new ctdb.conf
> > Samba-style configuration file. See ctdb.conf(5) for details.
> >
> > - Event script configuration is no longer specified in the
> > top-level configuration file. It can now be specified per event
> > script. For example, configuration options for the 50.samba event
> > script can be placed alongside the event script in a file called
> > 50.samba.options. Script options can also be specified in a new
> > script.options file. See ctdb-script.options(5) for details.
> >
> > - Options that affect CTDB startup should be configured in the
> > distribution-specific configuration file. See ctdb.sysconfig(5)
> > for details.
> >
> > - Tunable settings are now loaded from ctdb.tunables. Using
> > CTDB_SET_TunableVariable=<value> in the main configuration file
> > is no longer supported. See ctdb-tunables(7) for details.
> >
> > A example script to migrate an old-style configuration to the new
> > style is available in ctdb/doc/examples/config_migrate.sh.
> >
> > * The following configuration variables and corresponding ctdbd
> > command-line options have been removed and not replaced with
> > counterparts in the new configuration scheme:
> >
> > CTDB_PIDFILE --pidfile
> > CTDB_SOCKET --socket
> > CTDB_NODES --nlist
> > CTDB_PUBLIC_ADDRESSES --public-addresses
> > CTDB_EVENT_SCRIPT_DIR --event-script-dir
> > CTDB_NOTIFY_SCRIPT --notification-script
> > CTDB_PUBLIC_INTERFACE --public-interface
> > CTDB_MAX_PERSISTENT_CHECK_ERRORS --max-persistent-check-errors
> >
> > - The compile-time defaults should be used for the first 6 of
> > these.
> > - Use a symbolic link from the configuration directory to specify
> > a different location for nodes or public_addresses (e.g. in the
> > cluster filesystem).
> > - Executable notification scripts in the notify.d/ subdirectory of
> > the configuration directory are now run by unconditionally.
> > - Interfaces for public IP addresses must always be specified in
> > the public_addresses file using the currently supported format.
> >
> > Some related items that have been removed are:
> >
> > - The ctdb command's --socket command-line option
> > - The ctdb command's CTDB_NODES environment variable
> >
> > When writing tests there are still mechanisms available to change
> > the locations of certain directories and files.
> >
> > * The following ctdbd.conf and ctdbd options have been replaced by
> > new ctdb.conf options:
> >
> > CTDB_LOGGING/--logging logging -> location
> > CTDB_DEBUGLEVEL/-d logging -> log level
> > CTDB_TRANSPORT/--transport cluster -> transport
> > CTDB_NODE_ADDRESS/--listen cluster ->
> > node address
> > CTDB_RECOVERY_LOCK/--reclock cluster ->
> > recovery lock
> > CTDB_DBDIR/--dbdir database ->
> > volatile database directory
> > CTDB_DBDIR_PERSISTENT/--dbdir-persistent database ->
> > peristent database directory
> > CTDB_DBDIR_STATE/--dbdir-state database ->
> > state database directory
> > CTDB_DEBUG_LOCKS database ->
> > lock debug script
> > CTDB_DEBUG_HUNG_SCRIPT event ->
> > debug script
> > CTDB_NOSETSCHED/--nosetsched legacy ->
> > realtime scheduling
> > CTDB_CAPABILITY_RECMASTER/--no-recmaster legacy ->
> > recmaster capability
> > CTDB_CAPABILITY_LMASTER/--no-lmaster legacy ->
> > lmaster capability
> > CTDB_START_AS_STOPPED/--start-as-stopped legacy ->
> > start as stopped
> > CTDB_START_AS_DISABLED/--start-as-disabled legacy ->
> > start as disabled
> > CTDB_SCRIPT_LOG_LEVEL/--script-log-level legacy ->
> > script log level
> >
> > * Event scripts have moved to the scripts/legacy subdirectory of the
> > configuration directory
> >
> > Event scripts must now end with a ".script" suffix.
> >
> > * The "ctdb event" command has changed in 2 ways:
> >
> > - A component is now required for all commands
> >
> > In this release the only valid component is "legacy".
> >
> > - There is no longer a default event when running "ctdb
> > event status"
> >
> > Listing the status of the "monitor" event is now done via:
> >
> > ctdb event status legacy monitor
> >
> > See ctdb(1) for details.
> >
> > * The following service-related event script options have been
> > removed:
> >
> > CTDB_MANAGES_SAMBA
> > CTDB_MANAGES_WINBIND
> >
> > CTDB_MANAGES_CLAMD
> > CTDB_MANAGES_HTTPD
> > CTDB_MANAGES_ISCSI
> > CTDB_MANAGES_NFS
> > CTDB_MANAGES_VSFTPD
> >
> > CTDB_MANAGED_SERVICES
> >
> > Event scripts for services are now disabled by default. To enable
> > an event script and, therefore, manage a service use a command
> > like the following:
> >
> > ctdb event script enable legacy 50.samba
> >
> > * Notification scripts have moved to the scripts/notification
> > subdirectory of the configuration directory
> >
> > Notification scripts must now end with a ".script" suffix.
> >
> > * Support for setting CTDB_DBDIR=tmpfs has been removed
> >
> > This feature has not been implemented in the new configuration
> > system. If this is desired then a tmpfs filesystem should be
> > manually mounted on the directory pointed to by the "volatile
> > database directory" option. See ctdb.conf(5) for more details.
> >
> > * The following tunable options are now ctdb.conf options:
> >
> > DisabledIPFailover failover -> disabled
> > TDBMutexEnabled database -> tdb mutexes
> >
> > * Support for the NoIPHostOnAllDisabled tunable has been removed
> >
> > If all nodes are unhealthy or disabled then CTDB will not host
> > public IP addresses. That is, CTDB now behaves as if
> > NoIPHostOnAllDisabled were set to 1.
> >
> > * The onnode command's CTDB_NODES_FILE environment variable has been
> > removed
> >
> > The -f option can still be used to specify an alternate node file.
> >
> > * The 10.external event script has been removed
> >
> > * The CTDB_SHUTDOWN_TIMEOUT configuration variable has been removed
> >
> > As with other daemons, if ctdbd does not shut down when requested
> > then manual intervention is required. There is no safe way of
> > automatically killing ctdbd after a failed shutdown.
> >
> > * CTDB_SUPPRESS_COREFILE and CTDB_MAX_OPEN_FILES configuration
> > variable have been removed
> >
> > These should be setup in the systemd unit/system file or, for SYSV
> > init, in the distribution-specific configuration file for the ctdb
> > service.
> >
> > * CTDB_PARTIALLY_ONLINE_INTERFACES incompatibility no longer
> > enforced
> >
> > 11.natgw and 91.lvs will no longer fail if
> > CTDB_PARTIALLY_ONLINE_INTERFACES=yes. The incompatibility is,
> > however, well documented. This option will be removed in future
> > and replaced by sensible behaviour where public IP addresses simply
> > switch interfaces or become unavailable when interfaces are down.
> >
> > * Configuration file /etc/ctdb/sysconfig/ctdb is no longer supported
> >
> > GPO Improvements
> > ----------------
> >
> > The 'samba_gpoupdate' command (used in applying Group Policies to
> > the Samba machine itself) has been renamed to "samba_gpupdate" and
> > had the syntax changed to better match the same tool on Windows.
> >
> >
> > REMOVED FEATURES
> > ================
> >
> > %
> >
> > smb.conf changes
> > ================
> >
> > As the most popular Samba install platforms (Linux and FreeBSD) both
> > support extended attributes by default, the parameters "map
> > readonly", "store dos attributes" and "ea support" have had their
> > defaults changed
> > to allow better Windows fileserver compatibility in a default
> > install.
> >
> > Parameter Name Description Default
> > -------------- ----------- -------
> > map readonly Default changed no
> > store dos attributes Default changed yes
> > ea support Default changed yes
> > full_audit:success Default changed none
> > full_audit:failure Default changed none
> >
> > VFS interface changes
> > =====================
> >
> > The VFS ABI interface version has changed to 39. Function changes
> > are:
> >
> > SMB_VFS_FSYNC: Removed: Only async versions are used.
> > SMB_VFS_READ: Removed: Only PREAD or async versions are used.
> > SMB_VFS_WRITE: Removed: Only PWRITE or async versions are used.
> > SMB_VFS_CHMOD_ACL: Removed: Only CHMOD is used.
> > SMB_VFS_FCHMOD_ACL: Removed: Only FCHMOD is used.
> >
> > Any external VFS modules will need to be updated to match these
> > changes in order to work with 4.9.x.
> >
> > CHANGES SINCE 4.9.0rc5
> > ======================
> >
> > o Björn Baumbach <bb at sernet.de>
> > * BUG 13605: samba_dnsupdate: Honor 'dns zone scavenging'
> > option, only
> > update if needed.
> >
> > o Andreas Schneider <asn at samba.org>
> > * BUG 13606: wafsamba: Fix 'make -j<jobs>'.
> > o
> > CHANGES SINCE 4.9.0rc4
> > ======================
> >
> > o Jeremy Allison <jra at samba.org>
> > * BUG 13565: s3: VFS: vfs_full_audit: Ensure
> > smb_fname_str_do_log() only
> > returns absolute pathnames.
> >
> > o Paulo Alcantara <paulo at paulo.ac>
> > * BUG 13578: s3: util: Do not take over stderr when there
> > is no log file.
> >
> > o Ralph Boehme <slow at samba.org>
> > * BUG 13549: Durable Reconnect fails because
> > cookie.allow_reconnect is not
> > set.
> >
> > o Alexander Bokovoy <ab at samba.org>
> > * BUG 13539: krb5-samba: Interdomain trust uses different
> > salt principal.
> >
> > o Volker Lendecke <vl at samba.org>
> > * BUG 13441: vfs_fruit: Don't unlink the main file.
> > * BUG 13602: smbd: Fix a memleak in async search ask sharemode.
> >
> > o Stefan Metzmacher <metze at samba.org>
> > * BUG 11517: Fix Samba GPO issue when Trust is enabled.
> > * BUG 13539: samba-tool: Add "virtualKerberosSalt" attribute to
> > 'user getpassword/syncpasswords'.
> >
> > o Martin Schwenke <martin at meltin.net>
> > * BUG 13589: Fix CTDB configuration issues.
> > * BUG 13592: ctdbd logs an error until it can successfully
> > connect to
> > eventd.
> >
> >
> > CHANGES SINCE 4.9.0rc3
> > ======================
> >
> > o Jeremy Allison <jra at samba.org>
> > * BUG 13585: s3: smbd: Ensure get_real_filename() copes with
> > empty pathnames.
> >
> > o Tim Beale <timbeale at catalyst.net.nz>
> > * BUG 13566: samba domain backup online/rename commands
> > force user to specify
> > password on CLI.
> >
> > o Alexander Bokovoy <ab at samba.org>
> > * BUG 13579: wafsamba/samba_abi: Always hide ABI symbols
> > which must be
> > local.
> >
> > o Volker Lendecke <vl at samba.org>
> > * BUG 13584: Fix a panic if fruit_access_check detects a
> > locking conflict.
> >
> > o Andreas Schneider <asn at samba.org>
> > * BUG 13567: Fix memory and resource leaks.
> > * BUG 13580: python: Fix print in dns_invalid.py.
> >
> > o Martin Schwenke <martin at meltin.net>
> > * BUG 13588: Aliasing issue causes incorrect IPv6 checksum.
> > * BUG 13589: Fix CTDB configuration issues.
> >
> > o Ralph Wuerthner <ralph.wuerthner at de.ibm.com>
> > * BUG 13568: s3: vfs: time_audit: fix handling of token_blob in
> > smb_time_audit_offload_read_recv().
> >
> >
> > CHANGES SINCE 4.9.0rc2
> > ======================
> >
> > o Jeremy Allison <jra at samba.org>
> > * BUG 13453: CVE-2018-10858: libsmb: Harden
> > smbc_readdir_internal() against
> > returns from malicious servers.
> >
> > o Andrew Bartlett <abartlet at samba.org>
> > * BUG 13374: CVE-2018-1140: ldbsearch
> > '(distinguishedName=abc)' and DNS query
> > with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140
> > * BUG 13552: CVE-2018-10918: cracknames: Fix DoS (NULL
> > pointer de-ref) when
> > not servicePrincipalName is set on a user.
> >
> > o Tim Beale <timbeale at catalyst.net.nz>
> > * BUG 13434: CVE-2018-10919: acl_read: Fix unauthorized
> > attribute access via
> > searches.
> >
> > o Samuel Cabrero <scabrero at suse.de>
> > * BUG 13540: ctdb_mutex_ceph_rados_helper: Set SIGINT
> > signal handler.
> >
> > o Günther Deschner <gd at samba.org>
> > * BUG 13360: CVE-2018-1139 libcli/auth: Do not allow
> > ntlmv1 over SMB1 when it
> > is disabled via "ntlm auth".
> > * BUG 13529: s3-tldap: do not install test_tldap.
> >
> > o David Disseldorp <ddiss at samba.org>
> > * BUG 13540: ctdb_mutex_ceph_rados_helper: Fix deadlock
> > via lock renewals.
> >
> > o Andrej Gessel <Andrej.Gessel at janztec.com>
> > * BUG 13374: CVE-2018-1140 Add NULL check for
> > ldb_dn_get_casefold() in
> > ltdb_index_dn_attr().
> >
> > o Amitay Isaacs <amitay at gmail.com>
> > * BUG 13554: ctdb-eventd: Fix CID 1438155.
> >
> > o Volker Lendecke <vl at samba.org>
> > * BUG 13553: Fix CIDs 1438243, (Unchecked return value) 1438244
> > (Unsigned compared against 0), 1438245 (Dereference
> > before null check) and
> > 1438246 (Unchecked return value).
> > * BUG 13554: ctdb: Fix a cut&paste error.
> >
> > o Oleksandr Natalenko <oleksandr at redhat.com>
> > * BUG 13559: systemd: Only start smb when network
> > interfaces are up.
> >
> > o Noel Power <noel.power at suse.com>
> > * BUG 13553: Fix quotas don't work with SMB2.
> > * BUG 13563: s3/smbd: Ensure quota code is only called
> > when quota support
> > detected.
> >
> > o Anoop C S <anoopcs at redhat.com>
> > * BUG 13204: s3/libsmb: Explicitly set delete_on_close
> > token for rmdir.
> >
> > o Andreas Schneider <asn at samba.org>
> > * BUG 13561: s3:waf: Install eventlogadm to /usr/sbin.
> >
> > o Justin Stephenson <jstephen at redhat.com>
> > * BUG 13562: Shorten description in vfs_linux_xfs_sgid manual.
> >
> >
> > CHANGES SINCE 4.9.0rc1
> > ======================
> >
> > o Jeremy Allison <jra at samba.org>
> > * BUG 13537: s3: smbd: Using "sendfile = yes" with SMB2
> > can cause CPU spin.
> >
> > o Ralph Boehme <slow at samba.org>
> > * BUG 13535: s3: smbd: Fix path check in
> > smbd_smb2_create_durable_lease_check().
> >
> > o Alexander Bokovoy <ab at samba.org>
> > * BUG 13538: samba-tool trust: Support discovery via
> > netr_GetDcName.
> > * BUG 13542: s4-dsdb: Only build dsdb Python modules for AD DC.
> >
> > o Amitay Isaacs <amitay at gmail.com>
> > * BUG 13520: Fix portability issues on freebsd.
> >
> > o Gary Lockyer <gary at catalyst.net.nz>
> > * BUG 13536: DNS wildcard search does not handle multiple
> > labels correctly.
> >
> > o Stefan Metzmacher <metze at samba.org>
> > * BUG 13308: samba-tool domain trust: Fix trust
> > compatibility to Windows
> > Server 1709 and FreeIPA.
> >
> > o Martin Schwenke <martin at meltin.net>
> > * BUG 13520: Fix portability issues on freebsd.
> > * BUG 13545: ctdb-protocol: Fix CTDB compilation issues.
> > * BUG 13546: ctdb-docs: Replace obsolete reference to
> > CTDB_DEBUG_HUNG_SCRIPT
> > option.
> > * BUG 13550: ctdb-doc: Provide an example script for migrating
> > old configuration.
> > * BUG 13551: ctdb-event: Implement event tool "script
> > list" command.
> >
> >
> > KNOWN ISSUES
> > ============
> >
> > https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.
> > 9#Release_blocking_bugs
> >
> >
> > #######################################
> > Reporting bugs & Development Discussion
> > #######################################
> >
> > Please discuss this release on the samba-technical mailing list or
> > by joining the #samba-technical IRC channel on irc.freenode.net.
> >
> > If you do report problems then please try to send high quality
> > feedback. If you don't provide vital information to help us track
> > down the problem then you will probably be ignored. All bug
> > reports should be filed under the Samba 4.1 and newer product in
> > the project's Bugzilla
> > database (https://bugzilla.samba.org/).
> >
> >
> > ======================================================================
> > == Our Code, Our Bugs, Our Responsibility.
> > == The Samba Team
> > ======================================================================
> >
> > ================
> > Download Details
> > ================
> >
> > The uncompressed tarballs and patch files have been signed
> > using GnuPG (ID 6F33915B6568B7EA). The source code can be
> > downloaded from:
> >
> > https://download.samba.org/pub/samba/stable/
> >
> > The release notes are available online at:
> >
> > https://www.samba.org/samba/history/samba-4.9.0.html
> >
> > Our Code, Our Bugs, Our Responsibility.
> > (https://bugzilla.samba.org/)
> >
> > --Enjoy
> > The Samba Team
> >
>
>
More information about the samba-technical
mailing list