[Announce] Samba 4.12.0rc3 Available for Download

Karolin Seeger kseeger at samba.org
Wed Feb 19 11:08:28 UTC 2020

Release Announcements

This is the third release candidate of Samba 4.12.  This is *not*
intended for production environments and is designed for testing
purposes only.  Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.

Samba 4.12 will be the next version of the Samba suite.



Python 3.5 Required

Samba's minimum runtime requirement for python was raised to Python
3.4 with samba 4.11.  Samba 4.12 raises this minimum version to Python
3.5 both to access new features and because this is the oldest version
we test with in our CI infrastructure.

(Build time support for the file server with Python 2.6 has not

Removing in-tree cryptography: GnuTLS 3.4.7 required

Samba is making efforts to remove in-tree cryptographic functionality,
and to instead rely on externally maintained libraries.  To this end,
Samba has chosen GnuTLS as our standard cryptographic provider.

Samba now requires GnuTLS 3.4.7 to be installed (including development
headers at build time) for all configurations, not just the Samba AD

Thanks to this work Samba no longer ships an in-tree DES
implementation and on GnuTLS 3.6.5 or later Samba will include no
in-tree cryptography other than the MD4 hash and that
implemented in our copy of Heimdal.

Using GnuTLS for SMB3 encryption you will notice huge performance and copy
speed improvements. Tests with the CIFS Kernel client from Linux Kernel 5.3
show a 3x speed improvement for writing and a 2.5x speed improvement for reads!

NOTE WELL: The use of GnuTLS means that Samba will honour the
system-wide 'FIPS mode' (a reference to the US FIPS-140 cryptographic
standard) and so will not operate in many still common situations if
this system-wide parameter is in effect, as many of our protocols rely
on outdated cryptography.

A future Samba version will mitigate this to some extent where good
cryptography effectively wraps bad cryptography, but for now that above

"net ads kerberos pac save" and "net eventlog export"

The "net ads kerberos pac save" and "net eventlog export" tools will
no longer silently overwrite an existing file during data export.  If
the filename given exits, an error will be shown.



Samba now uses a sentinel value based on utimensat(2) UTIME_OMIT to denote
to-be-ignored timestamp variables passed to the SMB_VFS_NTIMES() VFS function.

VFS modules can check whether any of the time values inside a struct
smb_file_time is to be ignored by calling is_omit_timespec() on the value.

'io_uring' vfs module

The module makes use of the new io_uring infrastructure
(intruduced in Linux 5.1), see https://lwn.net/Articles/776703/

Currently this implements SMB_VFS_{PREAD,PWRITE,FSYNC}_SEND/RECV
and avoids the overhead of the userspace threadpool in the default
vfs backend. See also vfs_io_uring(8).

In order to build the module you need the liburing userspace library
and its developement headers installed, see

At runtime you'll need a Linux kernel with version 5.1 or higher.
Note that 5.4.14 and 5.4.15 have a regression that breaks the Samba
module! The regression was fixed in Linux 5.4.16 again.

MS-DFS changes in the VFS

This release changes set getting and setting of MS-DFS redirects
on the filesystem to go through two new VFS functions:


instead of smbd explicitly storing MS-DFS redirects inside
symbolic links on the filesystem. The underlying default
implementations of this has not changed, the redirects are
still stored inside symbolic links on the filesystem, but
moving the creation and reading of these links into the VFS
as first-class functions now allows alternate methods of
storing them (maybe in extended attributes) for OEMs who
don't want to mis-use filesystem symbolic links in this


The smb.conf parameter "write cache size" has been removed.

Since the in-memory write caching code was written, our write path has
changed significantly. In particular we have gained very flexible
support for async I/O, with the new linux io_uring interface in
development.  The old write cache concept which cached data in main
memory followed by a blocking pwrite no longer gives any improvement
on modern systems, and may make performance worse on memory-contrained
systems, so this functionality should not be enabled in core smbd

In addition, it complicated the write code, which is a performance
critical code path.

If required for specialist purposes, it can be recreated as a VFS

BIND9_FLATFILE deprecated

The BIND9_FLATFILE DNS backend is deprecated in this release and will
be removed in the future.  This was only practically useful on a single
domain controller or under expert care and supervision.

This release removes the "rndc command" smb.conf parameter, which
supported this configuration by writing out a list of DCs permitted to
make changes to the DNS Zone and nudging the 'named' server if a new
DC was added to the domain.  Administrators using BIND9_FLATFILE will
need to maintain this manually from now on.

Retiring DES encryption types in Kerberos.
With this release, support for DES encryption types has been removed from
Samba, and setting DES_ONLY flag for an account will cause Kerberos
authentication to fail for that account (see RFC-6649).

Samba-DC: DES keys no longer saved in DB.
When a new password is set for an account, Samba DC will store random keys
in DB instead of DES keys derived from the password.  If the account is being
migrated to Windbows or to an older version of Samba in order to use DES keys,
the password must be reset to make it work.

Heimdal-DC: removal of weak-crypto.
Following removal of DES encryption types from Samba, the embedded Heimdal
build has been updated to not compile weak crypto code (HEIM_WEAK_CRYPTO).

vfs_netatalk: The netatalk VFS module has been removed.

The netatalk VFS module has been removed. It was unmaintained and is not needed
any more.

CTDB changes

* The ctdb_mutex_fcntl_helper periodically re-checks the lock file

  The re-check period is specified using a 2nd argument to this
  helper.  The default re-check period is 5s.

  If the file no longer exists or the inode number changes then the
  helper exits.  This triggers an election.

smb.conf changes

  Parameter Name                     Description                Default
  --------------                     -----------                -------

  nfs4:acedup                        Changed default            merge
  rndc command                       Removed
  write cache size                   Removed
  spotlight backend		     New			noindex


o  Jeremy Allison <jra at samba.org>
   * BUG 14282: Set getting and setting of MS-DFS redirects on the filesystem
     to go through two new VFS functions SMB_VFS_CREATE_DFS_PATHAT() and

o  Andrew Bartlett <abartlet at samba.org>
   * BUG 14255: bootstrap: Remove un-used dependency python3-crypto.

o  Volker Lendecke <vl at samba.org>
   * BUG 14247: Fix CID 1458418 and 1458420.
   * BUG 14281: lib: Fix a shutdown crash with "clustering = yes".

o  Stefan Metzmacher <metze at samba.org>
   * BUG 14247: Winbind member (source3) fails local SAM auth with empty domain
   * BUG 14265: winbindd: Handle missing idmap in getgrgid().
   * BUG 14271: Don't use forward declaration for GnuTLS typedefs.
   * BUG 14280: Add io_uring vfs module.

o  Andreas Schneider <asn at samba.org>
   * BUG 14250: libcli:smb: Improve check for gnutls_aead_cipher_(en|de)cryptv2.


o  Jeremy Allison <jra at samba.org>
   * BUG 14239: s3: lib: nmblib. Clean up and harden nmb packet processing.

o  Andreas Schneider <asn at samba.org>
   * BUG 14253: lib:util: Log mkdir error on correct debug levels.



Reporting bugs & Development Discussion

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).

== Our Code, Our Bugs, Our Responsibility.
== The Samba Team

Download Details

The uncompressed tarballs and patch files have been signed
using GnuPG (ID 6F33915B6568B7EA).  The source code can be downloaded


The release notes are available online at:


Our Code, Our Bugs, Our Responsibility.

                        The Samba Team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20200219/e04a9c76/signature.sig>

More information about the samba-technical mailing list