[Samba] [Announce] Samba 4.5.0 Available for Download
Andrew Bartlett
abartlet at samba.org
Wed Sep 7 19:40:45 UTC 2016
On Wed, 2016-09-07 at 09:31 -0600, Jeff Sadowski wrote:
> Does this push 4.2.x to discontinued?
Yes: https://wiki.samba.org/index.php/Samba_Release_Planning
> On Wed, Sep 7, 2016 at 9:06 AM, Stefan Metzmacher <metze at samba.org>
> wrote:
>
> >
> > ======================================================
> > "It does not matter how slowly you go
> > as long as you do not stop."
> >
> > Confucius
> > ======================================================
> >
> >
> > Release Announcements
> > ---------------------
> >
> > This is the first stable release of the Samba 4.5 release series.
> >
> >
> > UPGRADING
> > =========
> >
> > NTLMv1 authentication disabled by default
> > -----------------------------------------
> >
> > In order to improve security we have changed
> > the default value for the "ntlm auth" option from
> > "yes" to "no". This may have impact on very old
> > clients which doesn't support NTLMv2 yet.
> >
> > The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.
> >
> > By default, Samba will only allow NTLMv2 via NTLMSSP now,
> > as we have the following default "lanman auth = no",
> > "ntlm auth = no" and "raw NTLMv2 auth = no".
> >
> >
> > NEW FEATURES/CHANGES
> > ====================
> >
> > Support for LDAP_SERVER_NOTIFICATION_OID
> > ----------------------------------------
> >
> > The ldap server has support for the LDAP_SERVER_NOTIFICATION_OID
> > control. This can be used to monitor the Active Directory database
> > for changes.
> >
> > KCC improvements for sparse network replication
> > -----------------------------------------------
> >
> > The Samba KCC will now be the default knowledge consistency checker
> > in
> > Samba AD. Instead of using full mesh replication between every DC,
> > the
> > KCC will set up connections to optimize replication latency and
> > cost
> > (using site links to calculate the routes). This change should
> > allow
> > larger domains to function significantly better in terms of
> > replication
> > traffic and the time spent performing DRS replication.
> >
> > VLV - Virtual List View
> > -----------------------
> >
> > The VLV Control allows applications to page the LDAP directory in
> > the
> > way you might expect a live phone book application to operate,
> > without
> > first downloading the entire directory.
> >
> > DRS Replication for the AD DC
> > -----------------------------
> >
> > DRS Replication in Samba 4.5 is now much more efficient in handling
> > linked attributes, particularly in large domains with over 1000
> > group
> > memberships or other links.
> >
> > Replication is also much more reliable in the handling of tree
> > renames, such as the rename of an organizational unit containing
> > many
> > users. Extensive tests have been added to ensure this code remains
> > reliable, particularly in the case of conflicts between objects
> > added
> > with the same name on different servers.
> >
> > Schema updates are also handled much more reliably.
> >
> > samba-tool drs replicate with new options
> > -----------------------------------------
> >
> > 'samba-tool drs replicate' got two new options:
> >
> > The option '--local-online' will do the DsReplicaSync() via IRPC
> > to the local dreplsrv service.
> >
> > The option '--async-op' will add DRSUAPI_DRS_ASYNC_OP to the
> > DsReplicaSync(), which won't wait for the replication result.
> >
> > replPropertyMetaData Changes
> > ----------------------------
> >
> > During the development of the DRS replication, tests showed that
> > Samba
> > stores the replPropertyMetaData object incorrectly. To address
> > this,
> > be aware that 'dbcheck' will now detect and offer to fix all
> > objects in
> > the domain for this error.
> >
> > For further information and instructions how to fix the problem,
> > see
> > https://wiki.samba.org/index.php/Updating_Samba#Fixing_
> > replPropertyMetaData_Attributes
> >
> > Linked attributes on deleted objects
> > ------------------------------------
> >
> > In Active Directory, an object that has been tombstoned or recycled
> > has no linked attributes. However, Samba incorrectly maintained
> > such
> > links, slowing replication and run-time performance. 'dbcheck' now
> > offers to remove such links, and they are no longer kept after the
> > object is tombstoned or recycled.
> >
> > Improved AD DC performance
> > --------------------------
> >
> > Many other improvements have been made to our LDAP database layer
> > in
> > the AD DC, to improve performance, both during 'samba-tool domain
> > provision' and at runtime.
> >
> > Other dbcheck improvements
> > --------------------------
> >
> > - 'samba-tool dbcheck' can now find and fix a missing or corrupted
> > 'deleted objects' container.
> > - BUG 11433: samba-dbcheck no longer offers to resort auxiliary
> > class
> > values
> > in objectClass as these were then re-sorted at the next dbcheck
> > indefinitely.
> >
> > Tombstone Reanimation
> > ---------------------
> >
> > Samba now supports tombstone reanimation, a feature in the AD DC
> > allowing tombstones, that is objects which have been deleted, to be
> > restored with the original SID and GUID still in place.
> >
> > Multiple DNS Forwarders on the AD DC
> > ------------------------------------
> >
> > Previously, the Samba internal DNS server supported only one DNS
> > forwarder.
> > The "dns forwarder" option has been enhanced and now supports a
> > space-separated
> > list of multiple DNS server IP addresses. As a result, Samba is now
> > able to
> > fall back to alternative DNS servers. In case that a DNS query to
> > the first
> > server timed out, it is sent to the next DNS server listed in the
> > option.
> >
> > Password quality plugin support in the AD DC
> > --------------------------------------------
> >
> > The check password script now operates correctly in the AD DC.
> >
> > pwdLastSet is now correctly honoured
> > ------------------------------------
> >
> > BUG 9654: The pwdLastSet attribute is now correctly handled (this
> > previously
> > permitted passwords that expire next).
> >
> > net ads dns unregister
> > ----------------------
> >
> > It is now possible to remove the DNS entries created with 'net ads
> > register'
> > with the matching 'net ads unregister' command.
> >
> > samba-tool improvements
> > ------------------------
> >
> > Running 'samba-tool' on the command line should now be a lot
> > snappier. The
> > tool
> > now only loads the code specific to the subcommand that you wish to
> > run.
> >
> > SMB 2.1 Leases enabled by default
> > ---------------------------------
> >
> > Leasing is an SMB 2.1 (and higher) feature which allows clients to
> > aggressively cache files locally above and beyond the caching
> > allowed
> > by SMB 1 oplocks. This feature was disabled in previous releases,
> > but
> > the SMB2 leasing code is now considered mature and stable enough to
> > be
> > enabled by default.
> >
> > Open File Description (OFD) Locks
> > ---------------------------------
> >
> > On systems that support them (currently only Linux), the fileserver
> > now
> > uses Open File Description (OFD) locks instead of POSIX locks to
> > implement
> > client byte range locks. As these locks are associated with a
> > specific
> > file descriptor on a file this allows more efficient use when
> > multiple
> > descriptors having file locks are opened onto the same file. An
> > internal
> > tunable "smbd:force process locks = true" may be used to turn off
> > OFD
> > locks if there appear to be problems with them.
> >
> > Password sync as Active Directory domain controller
> > ---------------------------------------------------
> >
> > The new commands 'samba-tool user getpassword'
> > and 'samba-tool user syncpasswords' provide
> > access and syncing of various password fields.
> >
> > If compiled with GPGME support (--with-gpgme) it's
> > possible to store cleartext passwords in a PGP/OpenGPG
> > encrypted form by configuring the new "password hash gpg key ids"
> > option. This requires gpgme devel and python packages to be
> > installed
> > (e.g. libgpgme11-dev and python-gpgme on Debian/Ubuntu).
> >
> > Python crypto requirements
> > --------------------------
> >
> > Some 'samba-tool' subcommands require python-crypto and/or
> > python-m2crypto packages to be installed.
> >
> > SmartCard/PKINIT improvements
> > -----------------------------
> >
> > 'samba-tool user create' accepts "--smartcard-required"
> > and 'samba-tool user setpassword' accepts "--smartcard-required"
> > and "--clear-smartcard-required".
> >
> > Specifying "--smartcard-required" results in the
> > UF_SMARTCARD_REQUIRED
> > flags being set in the userAccountControl attribute.
> > At the same time, the account password is reset to a random
> > NTHASH value.
> >
> > Interactive password logons are rejected, if the
> > UF_SMARTCARD_REQUIRED
> > bit is set in the userAccountControl attribute of a user.
> >
> > When doing a PKINIT based Kerberos logon the KDC adds the
> > required PAC_CREDENTIAL_INFO element to the authorization data.
> > That means the NTHASH is shared between the PKINIT based client and
> > the domain controller, which allows the client to do NTLM based
> > authentication on behalf of the user. It also allows an offline
> > logon using a smartcard to work on Windows clients.
> >
> > CTDB changes
> > ------------
> >
> > * New improved 'ctdb tool'
> >
> > 'ctdb tool' has been completely rewritten using new client API.
> > Usage messages are much improved.
> >
> > * Sample CTDB configuration file is installed as ctdbd.conf.
> >
> > * The use of real-time scheduling when taking locks has been
> > narrowed
> > to limit potential performance impacts on nodes.
> >
> > * CTDB_RECOVERY_LOCK now supports specification of an external
> > helper
> > to take and hold the recovery lock.
> >
> > See the RECOVERY LOCK section in ctdb(7) for
> > details. Documentation
> > for writing helpers is provided in doc/cluster_mutex_helper.txt.
> >
> > * "ctdb natgwlist" has been replaced by a top level "ctdb natgw"
> > command that has "master", "list" and "status" subcommands.
> >
> > * The 'onnode' command no longer supports the "recmaster", "lvs"
> > and
> > "natgw" node specifications.
> >
> > * Faster resetting of TCP connections to public IP addresses during
> > failover.
> >
> > * Tunables MaxRedirectCount, ReclockPingPeriod,
> > DeferredRebalanceOnNodeAdd are now obsolete/ignored.
> >
> > * "ctdb listvars" now lists all variables, including the first one.
> >
> > * "ctdb xpnn", "ctdb rebalanceip" and "ctdb rebalancenode" have
> > been
> > removed.
> >
> > These are not needed because "ctdb reloadips" should do the
> > correct
> > rebalancing.
> >
> > * Output for the following commands has been simplified:
> >
> > ctdb getdbseqnum
> > ctdb getdebug
> > ctdb getmonmode
> > ctdb getpid
> > ctdb getreclock
> > ctdb getpid
> > ctdb pnn
> >
> > These now simply print the requested output with no
> > preamble. This
> > means that scripts no longer need to strip part of the output.
> >
> > "ctdb getreclock" now prints nothing when the recovery lock is
> > not
> > set.
> >
> > * Output for the following commands has been improved:
> >
> > ctdb setdebug
> > ctdb uptime
> >
> > * 'ctdb process-exists' has been updated to only take a PID
> > argument.
> >
> > The PNN can be specified with -n <PNN>. Output also cleaned up.
> >
> > * LVS support has been reworked - related commands and
> > configuration
> > variables have changed.
> >
> > 'ctdb lvsmaster' and 'ctdb lvs' have been replaced by a top level
> > 'ctdb lvs' command that has 'master', 'list' and 'status'
> > subcommands.
> >
> > See the LVS sections in ctdb(7) and ctdbd.conf(5) for details,
> > including configuration changes.
> >
> > * Improved sample NFS Ganesha call-out.
> >
> > New shadow_copy2 options
> > ------------------------
> >
> > * shadow:snapprefix
> >
> > With growing number of snapshots file-systems need some mechanism
> > to
> > differentiate one set of snapshots from other, e.g. monthly,
> > weekly,
> > manual,
> > special events, etc. Therefore, these file-systems provide
> > different
> > ways to tag
> > snapshots, e.g. provide a configurable way to name snapshots,
> > which is
> > not just
> > based on time. With only shadow:format it is very difficult to
> > filter
> > these
> > snapshots. With this optional parameter, one can specify a
> > variable
> > prefix
> > component for names of the snapshot directories in the file-
> > system. If
> > this
> > parameter is set, together with the shadow:format and
> > shadow:delimiter
> > parameters it determines the possible names of snapshot
> > directories in
> > the
> > file-system. The option only supports Basic Regular Expression
> > (BRE).
> >
> > * shadow:delimiter
> >
> > This optional parameter is used as a delimiter between
> > "shadow:snapprefix" and
> > "shadow:format". This parameter is used only when
> > "shadow:snapprefix" is
> > set.
> >
> > Default: shadow:delimiter = "_GMT"
> >
> >
> > REMOVED FEATURES
> > ================
> >
> > "only user" and "username" parameters
> > -------------------------------------
> >
> > These two parameters have long been deprecated and superseded by
> > "valid users" and "invalid users".
> >
> >
> > smb.conf changes
> > ================
> >
> > Parameter Name Description Default
> > -------------- ----------- -------
> > kccsrv:samba_kcc Changed default yes
> > ntlm auth Changed default no
> > only user Removed
> > password hash gpg key ids New
> > shadow:snapprefix New
> > shadow:delimiter New _GMT
> > smb2 leases Changed default yes
> > username Removed
> >
> >
> > KNOWN ISSUES
> > ============
> >
> > While a lot of schema replication bugs were fixed in this release
> > Bug 12204 - Samba fails to replicate schema 69
> > (https://bugzilla.samba.org/show_bug.cgi?id=12204) is still open.
> > The replication fails if more than 133 schema objects are added
> > at the same time.
> >
> > More open bugs are listed at:
> > https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.5#All
> > _bugs
> >
> >
> > CHANGES SINCE 4.5.0rc3
> > ======================
> >
> > o Björn Baumbach <bb at sernet.de>
> > * BUG 12194: idmap_script: fix missing "IDTOSID" argument in
> > scripts
> > command line.
> >
> > o Andrew Bartlett <abartlet at samba.org>
> > * BUG 12178: samba-tool dbcheck fails to fix
> > replPropertyMetaData.
> >
> > o Ralph Boehme <slow at samba.org>
> > * BUG 12177: Unexpected synthesized default ACL from
> > vfs_acl_xattr.
> > * BUG 12181: vfs_acl_common not setting filesystem permissions
> > anymore.
> > * BUG 12184: Loading shared RPC modules failed.
> >
> > o Günther Deschner <gd at samba.org>
> > * BUG 12245: fix _spoolss_GetPrinterDataEx by moving the
> > keyname
> > length check.
> >
> > o Stefan Metzmacher <metze at samba.org>
> > * BUG 11994: smbclient fails to connect to Azure or Apple share
> > spnego
> > fails with no mechListMIC.
> >
> > o Martin Schwenke <martin at meltin.net>
> > * BUG 12180: CTDB crashes running eventscripts.
> >
> >
> > CHANGES SINCE 4.5.0rc2
> > ======================
> >
> > o Michael Adam <obnox at samba.org>
> > * BUG 12155: Some idmap backends don't perform range checks for
> > the
> > result
> > of sids_to_xids.
> >
> > o Jeremy Allison <jra at samba.org>
> > * BUG 12115: Endless loop on drsuapi pull replication after
> > schema
> > changes.
> > * BUG 12135: net ads gpo refresh can crash with null pointer
> > deref..
> > * BUG 12139: Race between break oplock and check for
> > share_mode.
> > * BUG 12150: SMB2 snapshot query fails on DFS shares..
> > * BUG 12165: smbclient allinfo doesn't correctly return
> > 'previous
> > version'
> > info over SMB1.
> > * BUG 12166: smbclient allinfo doesn't correctly return
> > 'previous
> > version'
> > info over SMB2.
> > * BUG 12174: error: 'conn' undeclared.
> >
> > o Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
> > * BUG 12143: misnamed attribute in samba_kcc causes exception
> > in
> > unusual
> > circumstances.
> > * BUG 12187: Backport changes for partial attribute set
> > calculation
> > for 4.5.
> >
> > o Andrew Bartlett <abartlet at samba.org>
> > * BUG 12107: backport backupkey tests.
> > * BUG 12115: Endless loop on drsuapi pull replication after
> > schema
> > changes.
> > * BUG 12128: Correctly resolve replicated schema changes
> > regarding
> > linked
> > attributes.
> >
> > o Amitay Isaacs <amitay at gmail.com>
> > * BUG 12137: Fix printf format non-liternal warnings and printf
> > format errors.
> > * BUG 12138: Fix uninitialized timeout in ctdb_pmda.
> > * BUG 12151: Drop resurrected ctdb commands in new ctdb tool.
> > * BUG 12152: Fix ctdb addip; implementation to match ctdb
> > delip.
> > * BUG 12163: Fix missing arguments and format elements in
> > format
> > strings.
> > * BUG 12168: Fix format-nonliteral warnings.
> >
> > o Stefan Metzmacher <metze at samba.org>
> > * BUG 12108: Backport selftest/autobuild fixes to v4-5-test.
> > * BUG 12114: In memory schema updated on non schema master.
> > * BUG 12115: Endless loop on drsuapi pull replication after
> > schema
> > changes.
> > * BUG 12128: Correctly resolve replicated schema changes
> > regarding
> > linked attributes.
> > * BUG 12129: let samba-tool ldapcmp ignore whenChanged.
> >
> > o Garming Sam <garming at catalyst.net.nz>
> > * BUG 12187: Backport changes for partial attribute set
> > calculation
> > for 4.5.
> >
> > o Andreas Schneider <asn at samba.org>
> > * BUG 12175: smbget always prompts for a username.
> >
> > o Christof Schmitt <cs at samba.org>
> > * BUG 12150: SMB2 snapshot query fails on DFS shares..
> >
> > o Martin Schwenke <martin at meltin.net>
> > * BUG 12157: Coverity and related fixes.
> > * BUG 12158: CTDB release IP fixes.
> > * BUG 12161: Fix CTDB cumulative takeover timeout.
> > * BUG 12170: CTDB test runs can kill each other's ctdbd
> > daemons.
> >
> > o Uri Simchoni <uri at samba.org>
> > * BUG 12145: smbd: if inherit owner is enabled, the free disk
> > on a
> > folder
> > should take the owner's quota into account.
> > * BUG 12149: smbd: cannot load a Windows device driver from a
> > Samba
> > share
> > via SMB2.
> > * BUG 12172: a snapshot folder cannot be accessed via SMB1.
> >
> >
> > CHANGES SINCE 4.5.0rc1
> > ======================
> >
> > o Ralph Boehme <slow at samba.org>
> > * BUG 12005: parse_share_modes() chokes on ctdb tombstone
> > record from
> > ltdb.
> > * BUG 12105: smbclient connection to not reachable IP eats 100%
> > CPU.
> >
> > o Ira Cooper <ira at samba.org>
> > * BUG 12133: source3/wscript: Add support for disabling
> > vfs_cephfs.
> >
> > o Amitay Isaacs <amitay at gmail.com>
> > * BUG 12121: ctdb-tools: Fix numerous Coverity IDs and other
> > issues.
> > * BUG 12122: If a transaction fails, it should be canceled and
> > transaction
> > handle should be freed.
> > * BUG 12134: dbwrap: Fix structure initialization.
> >
> > o Marc Muehlfeld <mmuehlfeld at samba.org>
> > * BUG 12023: man: Fix wrong option for parameter "ldap ssl" in
> > smb.conf
> > man page.
> >
> > o Andreas Schneider <asn at samba.org>
> > * BUG 12104: ctdb-waf: Move ctdb tests to libexec directory.
> >
> > o Martin Schwenke <martin at meltin.net>
> > * BUG 12104: ctdb-packaging: Move ctdb tests to libexec
> > directory.
> > * BUG 12109: Fixes several CTDB tests.
> > * BUG 12110: Fix numerous Coverity IDs.
> > * BUG 12113: ctdb-mutex: Avoid corner case where helper is
> > already
> > reparented to init.
> > * BUG 12123: Fix ctdb tickle command and update documentation.
> > * BUG 12125: CTDB overwrites working configuration due to
> > packaging
> > change.
> > * BUG 12126: Fix broken CTDB log messages.
> >
> >
> > #######################################
> > Reporting bugs & Development Discussion
> > #######################################
> >
> > Please discuss this release on the samba-technical mailing list or
> > by
> > joining the #samba-technical IRC channel on irc.freenode.net.
> >
> > If you do report problems then please try to send high quality
> > feedback. If you don't provide vital information to help us track
> > down
> > the problem then you will probably be ignored. All bug reports
> > should
> > be filed under the Samba 4.1 and newer product in the project's
> > Bugzilla
> > database (https://bugzilla.samba.org/).
> >
> >
> > ===================================================================
> > ===
> > == Our Code, Our Bugs, Our Responsibility.
> > == The Samba Team
> > ===================================================================
> > ===
> >
> >
> > ================
> > Download Details
> > ================
> >
> > The uncompressed tarballs and patch files have been signed
> > using GnuPG (ID 6F33915B6568B7EA). The source code can be
> > downloaded
> > from:
> >
> > https://download.samba.org/pub/samba/stable/
> >
> > The release notes are available online at:
> >
> > https://www.samba.org/samba/history/samba-4.5.0.html
> >
> > Our Code, Our Bugs, Our Responsibility.
> > (https://bugzilla.samba.org/)
> >
> > --Enjoy
> > The Samba Team
> >
>
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list