[Announce] Samba 4.12.0 Available for Download
Mikhail Novosyolov
m.novosyolov at rosalinux.ru
Thu Mar 5 05:13:18 UTC 2020
Hello,
What is the status of SMBv1 in Samba 4.12?
3 марта 2020 г. 13:47:17 GMT+03:00, Karolin Seeger via samba-technical <samba-technical at lists.samba.org> пишет:
>Release Announcements
>---------------------
>
>This is the first stable release of the Samba 4.12 release series.
>Please read the release notes carefully before upgrading.
>
>
>NEW FEATURES/CHANGES
>====================
>
>Python 3.5 Required
>-------------------
>
>Samba's minimum runtime requirement for python was raised to Python
>3.4 with samba 4.11. Samba 4.12 raises this minimum version to Python
>3.5 both to access new features and because this is the oldest version
>we test with in our CI infrastructure.
>
>(Build time support for the file server with Python 2.6 has not
>changed)
>
>Removing in-tree cryptography: GnuTLS 3.4.7 required
>----------------------------------------------------
>
>Samba is making efforts to remove in-tree cryptographic functionality,
>and to instead rely on externally maintained libraries. To this end,
>Samba has chosen GnuTLS as our standard cryptographic provider.
>
>Samba now requires GnuTLS 3.4.7 to be installed (including development
>headers at build time) for all configurations, not just the Samba AD
>DC.
>
>Thanks to this work Samba no longer ships an in-tree DES
>implementation and on GnuTLS 3.6.5 or later Samba will include no
>in-tree cryptography other than the MD4 hash and that
>implemented in our copy of Heimdal.
>
>Using GnuTLS for SMB3 encryption you will notice huge performance and
>copy
>speed improvements. Tests with the CIFS Kernel client from Linux Kernel
>5.3
>show a 3x speed improvement for writing and a 2.5x speed improvement
>for reads!
>
>NOTE WELL: The use of GnuTLS means that Samba will honour the
>system-wide 'FIPS mode' (a reference to the US FIPS-140 cryptographic
>standard) and so will not operate in many still common situations if
>this system-wide parameter is in effect, as many of our protocols rely
>on outdated cryptography.
>
>A future Samba version will mitigate this to some extent where good
>cryptography effectively wraps bad cryptography, but for now that above
>applies.
>
>zlib library is now required to build Samba
>-------------------------------------------
>
>Samba no longer includes a local copy of zlib in our source tarball.
>By removing this we do not need to ship (even where we did not
>build) the old, broken zip encryption code found there.
>
>New Spotlight backend for Elasticsearch
>---------------------------------------
>
>Support for the macOS specific Spotlight search protocol has been
>enhanced
>significantly. Starting with 4.12 Samba supports using Elasticsearch as
>search
>backend. Various new parameters have been added to configure this:
>
> spotlight backend = noindex | elasticsearch | tracker
> elasticsearch:address = ADDRESS
> elasticsearch:port = PORT
> elasticsearch:use tls = BOOLEAN
> elasticsearch:index = INDEXNAME
> elasticsearch:mappings = PATH
> elasticsearch:max results = NUMBER
>
>Samba also ships a Spotlight client command "mdfind" which can be used
>to search
>any SMB server that runs the Spotlight RPC service. See the manpage of
>mdfind
>for details.
>
>Note that when upgrading existing installations that are using the
>previous
>default Spotlight backend Gnome Tracker must explicitly set "spotlight
>backend =
>tracker" as the new default is "noindex".
>
>'net ads kerberos pac save' and 'net eventlog export'
>-----------------------------------------------------
>
>The 'net ads kerberos pac save' and 'net eventlog export' tools will
>no longer silently overwrite an existing file during data export. If
>the filename given exits, an error will be shown.
>
>Fuzzing
>-------
>
>A large number of fuzz targets have been added to Samba, and Samba has
>been registered in Google's oss-fuzz cloud fuzzing service. In
>particular, we now have good fuzzing coverage of our generated NDR
>parsing code.
>
>A large number of issues have been found and fixed thanks to this
>effort.
>
>'samba-tool' improvements add contacts as member to groups
>----------------------------------------------------------
>
>Previously 'samba-tool group addmemers' can just add users, groups and
>computers as members to groups. But also contacts can be members of
>groups. Samba 4.12 adds the functionality to add contacts to
>groups. Since contacts have no sAMAccountName, it's possible that
>there are more than one contact with the same name in different
>organizational units. Therefore it's necessary to have an option to
>handle group members by their DN.
>
>To get the DN of an object there is now the "--full-dn" option
>available
>for all necessary commands.
>
>The MS Windows UI allows to search for specific types of group members
>when searching for new members for a group. This feature is included
>here with the new samba-tool group addmembers "--object-type=OBJECTYPE"
>option. The different types are selected accordingly to the Windows
>UI. The default samba-toole behaviour shouldn't be changed.
>
>Allow filtering by OU or subtree in samba-tool
>----------------------------------------------
>
>A new "--base-dn" and "--member-base-dn" option is added to relevant
>samba-tool user, group and ou management commands to allow operation
>on just one part of the AD tree, such as a single OU.
>
>VFS
>===
>
>SMB_VFS_NTIMES
>--------------
>
>Samba now uses a sentinel value based on utimensat(2) UTIME_OMIT to
>denote
>to-be-ignored timestamp variables passed to the SMB_VFS_NTIMES() VFS
>function.
>
>VFS modules can check whether any of the time values inside a struct
>smb_file_time is to be ignored by calling is_omit_timespec() on the
>value.
>
>'io_uring' vfs module
>---------------------
>
>The module makes use of the new io_uring infrastructure
>(intruduced in Linux 5.1), see https://lwn.net/Articles/776703/
>
>Currently this implements SMB_VFS_{PREAD,PWRITE,FSYNC}_SEND/RECV
>and avoids the overhead of the userspace threadpool in the default
>vfs backend. See also vfs_io_uring(8).
>
>In order to build the module you need the liburing userspace library
>and its developement headers installed, see
>https://git.kernel.dk/cgit/liburing/
>
>At runtime you'll need a Linux kernel with version 5.1 or higher.
>Note that 5.4.14 and 5.4.15 have a regression that breaks the Samba
>module! The regression was fixed in Linux 5.4.16 again.
>
>MS-DFS changes in the VFS
>-------------------------
>
>This release changes set getting and setting of MS-DFS redirects
>on the filesystem to go through two new VFS functions:
>
>SMB_VFS_CREATE_DFS_PATHAT()
>SMB_VFS_READ_DFS_PATHAT()
>
>instead of smbd explicitly storing MS-DFS redirects inside
>symbolic links on the filesystem. The underlying default
>implementations of this has not changed, the redirects are
>still stored inside symbolic links on the filesystem, but
>moving the creation and reading of these links into the VFS
>as first-class functions now allows alternate methods of
>storing them (maybe in extended attributes) for OEMs who
>don't want to mis-use filesystem symbolic links in this
>way.
>
>
>CTDB changes
>============
>
>* The ctdb_mutex_fcntl_helper periodically re-checks the lock file
>
> The re-check period is specified using a 2nd argument to this
> helper. The default re-check period is 5s.
>
> If the file no longer exists or the inode number changes then the
> helper exits. This triggers an election.
>
>
>REMOVED FEATURES
>================
>
>The smb.conf parameter "write cache size" has been removed.
>
>Since the in-memory write caching code was written, our write path has
>changed significantly. In particular we have gained very flexible
>support for async I/O, with the new linux io_uring interface in
>development. The old write cache concept which cached data in main
>memory followed by a blocking pwrite no longer gives any improvement
>on modern systems, and may make performance worse on memory-contrained
>systems, so this functionality should not be enabled in core smbd
>code.
>
>In addition, it complicated the write code, which is a performance
>critical code path.
>
>If required for specialist purposes, it can be recreated as a VFS
>module.
>
>Retiring DES encryption types in Kerberos.
>------------------------------------------
>With this release, support for DES encryption types has been removed
>from
>Samba, and setting DES_ONLY flag for an account will cause Kerberos
>authentication to fail for that account (see RFC-6649).
>
>Samba-DC: DES keys no longer saved in DB.
>-----------------------------------------
>When a new password is set for an account, Samba DC will store random
>keys
>in DB instead of DES keys derived from the password. If the account is
>being
>migrated to Windbows or to an older version of Samba in order to use
>DES keys,
>the password must be reset to make it work.
>
>Heimdal-DC: removal of weak-crypto.
>-----------------------------------
>Following removal of DES encryption types from Samba, the embedded
>Heimdal
>build has been updated to not compile weak crypto code
>(HEIM_WEAK_CRYPTO).
>
>vfs_netatalk: The netatalk VFS module has been removed.
>-------------------------------------------------------
>
>The netatalk VFS module has been removed. It was unmaintained and is
>not needed
>any more.
>
>BIND9_FLATFILE deprecated
>-------------------------
>
>The BIND9_FLATFILE DNS backend is deprecated in this release and will
>be removed in the future. This was only practically useful on a single
>domain controller or under expert care and supervision.
>
>This release removes the 'rndc command' smb.conf parameter, which
>supported this configuration by writing out a list of DCs permitted to
>make changes to the DNS Zone and nudging the 'named' server if a new
>DC was added to the domain. Administrators using BIND9_FLATFILE will
>need to maintain this manually from now on.
>
>
>smb.conf changes
>================
>
> Parameter Name Description Default
> -------------- ----------- -------
>
>elasticsearch:address New localhost
> elasticsearch:port New 9200
> elasticsearch:use tls New No
> elasticsearch:index New _all
>elasticsearch:mappings New
>DATADIR/elasticsearch_mappings.json
> elasticsearch:max results New 100
> nfs4:acedup Changed default merge
> rndc command Removed
> write cache size Removed
> spotlight backend New noindex
>
>
>CHANGES SINCE 4.12.0rc4
>=======================
>
>o Andrew Bartlett <abartlet at samba.org>
> * BUG 14258: dsdb: Correctly handle memory in objectclass_attrs.
>
>
>CHANGES SINCE 4.12.0rc3
>=======================
>
>o Jeremy Allison <jra at samba.org>
> * BUG 14269: s3: DFS: Don't allow link deletion on a read-only share.
>
>o Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
>* BUG 14284: pidl/wscript: configure should insist on
>Parse::Yapp::Driver.
>
>o Andrew Bartlett <abartlet at samba.org>
> * BUG 14270: ldb: Fix search with scope ONE and small result sets.
>* BUG 14284: build: Do not check if system perl modules should be
>bundled.
>
>o Volker Lendecke <vl at samba.org>
> * BUG 14285: smbd fails to handle EINTR from open(2) properly.
>
>o Stefan Metzmacher <metze at samba.org>
> * BUG 14270: ldb: version 2.1.1.
>
>
>CHANGES SINCE 4.12.0rc2
>=======================
>
>o Jeremy Allison <jra at samba.org>
>* BUG 14282: Set getting and setting of MS-DFS redirects on the
>filesystem
> to go through two new VFS functions SMB_VFS_CREATE_DFS_PATHAT() and
> SMB_VFS_READ_DFS_PATHAT().
>
>o Andrew Bartlett <abartlet at samba.org>
> * BUG 14255: bootstrap: Remove un-used dependency python3-crypto.
>
>o Volker Lendecke <vl at samba.org>
> * BUG 14247: Fix CID 1458418 and 1458420.
> * BUG 14281: lib: Fix a shutdown crash with "clustering = yes".
>
>o Stefan Metzmacher <metze at samba.org>
>* BUG 14247: Winbind member (source3) fails local SAM auth with empty
>domain
> name.
> * BUG 14265: winbindd: Handle missing idmap in getgrgid().
> * BUG 14271: Don't use forward declaration for GnuTLS typedefs.
> * BUG 14280: Add io_uring vfs module.
>
>o Andreas Schneider <asn at samba.org>
>* BUG 14250: libcli:smb: Improve check for
>gnutls_aead_cipher_(en|de)cryptv2.
>
>
>CHANGES SINCE 4.12.0rc1
>=======================
>
>o Jeremy Allison <jra at samba.org>
>* BUG 14239: s3: lib: nmblib. Clean up and harden nmb packet
>processing.
>
>o Andreas Schneider <asn at samba.org>
> * BUG 14253: lib:util: Log mkdir error on correct debug levels.
>
>
>KNOWN ISSUES
>============
>
>https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.12#Release_blocking_bugs
>
>
>#######################################
>Reporting bugs & Development Discussion
>#######################################
>
>Please discuss this release on the samba-technical mailing list or by
>joining the #samba-technical IRC channel on irc.freenode.net.
>
>If you do report problems then please try to send high quality
>feedback. If you don't provide vital information to help us track down
>the problem then you will probably be ignored. All bug reports should
>be filed under the Samba 4.1 and newer product in the project's
>Bugzilla
>database (https://bugzilla.samba.org/).
>
>
>======================================================================
>== Our Code, Our Bugs, Our Responsibility.
>== The Samba Team
>======================================================================
>
>================
>Download Details
>================
>
>The uncompressed tarballs and patch files have been signed
>using GnuPG (ID 6F33915B6568B7EA). The source code can be downloaded
>from:
>
> https://download.samba.org/pub/samba/stable/
>
>The release notes are available online at:
>
> https://www.samba.org/samba/history/samba-4.12.0.html
>
>Our Code, Our Bugs, Our Responsibility.
>(https://bugzilla.samba.org/)
>
> --Enjoy
> The Samba Team
--
Простите за краткость, создано в K-9 Mail.
More information about the samba-technical
mailing list