1 =============================
2 Release Notes for Samba 4.2.0
4 =============================
7 This is is the first stable release of Samba 4.2.
9 Samba 4.2 will be the next version of the Samba suite.
12 Samba User Survey 2015
13 ======================
15 https://www.surveygizmo.com/s3/2020369/Samba-User-Survey-2015
17 Please take our survey. It will help us improve Samba by understanding
18 your knowledge and needs. The survey runs until end of March 2015 and
19 won't ask for any personal info. The full results will be shared with
20 the Samba Team, and statistical summaries will be shared with the
21 Samba community after the SambaXP conference (http://sambaxp.org).
24 IMPORTANT NOTE ABOUT THE SUPPORT END OF SAMBA 3
25 =================================================
27 With the final release of Samba 4.2, the last series of Samba 3 has
28 been discontinued! People still running 3.6.x or earlier,should
29 consider moving to a more recent and maintained version (4.0 - 4.2).
30 One of the common misconceptions is that Samba 4.x automatically
31 means "Active Directory only": This is wrong!
33 Acting as an Active Directory Domain Controller is just one of the
34 enhancements included in Samba 4.0 and later. Version 4.0 was just the
35 next release after the 3.6 series and contains all the features of the
36 previous ones - including the NT4-style (classic) domain support. This
37 means you can update a Samba 3.x NT4-style PDC to 4.x, just as you've
38 updated in the past (e.g. from 3.4.x to 3.5.x). You don't have to move
39 your NT4-style domain to an Active Directory!
41 And of course the possibility remains unchanged, to setup a new NT4-style
42 PDC with Samba 4.x, like done in the past (e.g. with openLDAP backend).
43 Active Directory support in Samba 4 is additional and does not replace
44 any of these features. We do understand the difficulty presented by
45 existing LDAP structures and for that reason there isn't a plan to
46 decommission the classic PDC support. It remains tested by the continuous
49 The code that supports the classic Domain Controller is also the same
50 code that supports the internal 'Domain' of standalone servers and
51 Domain Member Servers. This means that we still use this code, even
52 when not acting as an AD Domain Controller. It is also the basis for
53 some of the features of FreeIPA and so it gets development attention
54 from that direction as well.
60 Read the "Winbindd/Netlogon improvements" section (below) carefully!
66 Transparent File Compression
67 ============================
69 Samba 4.2.0 adds support for the manipulation of file and folder
70 compression flags on the Btrfs filesystem.
71 With the Btrfs Samba VFS module enabled, SMB2+ compression flags can
72 be set remotely from the Windows Explorer File->Properties->Advanced
73 dialog. Files flagged for compression are transparently compressed
74 and uncompressed when accessed or modified.
76 Previous File Versions with Snapper
77 ===================================
79 The newly added Snapper VFS module exposes snapshots managed by
80 Snapper for use by Samba. This provides the ability for remote
81 clients to access shadow-copies via Windows Explorer using the
82 "previous versions" dialog.
84 Winbindd/Netlogon improvements
85 ==============================
87 The whole concept of maintaining the netlogon secure channel
88 to (other) domain controllers was rewritten in order to maintain
89 global state in a netlogon_creds_cli.tdb. This is the proper fix
90 for a large number of bugs:
92 https://bugzilla.samba.org/show_bug.cgi?id=6563
93 https://bugzilla.samba.org/show_bug.cgi?id=7944
94 https://bugzilla.samba.org/show_bug.cgi?id=7945
95 https://bugzilla.samba.org/show_bug.cgi?id=7568
96 https://bugzilla.samba.org/show_bug.cgi?id=8599
98 In addition a strong session key is now required by default,
99 which means that communication to older servers or clients
100 might be rejected by default.
102 For the client side we have the following new options:
103 "require strong key" (yes by default), "reject md5 servers" (no by default).
104 E.g. for Samba 3.0.37 you need "require strong key = no" and
105 for NT4 DCs you need "require strong key = no" and "client NTLMv2 auth = no",
107 On the server side (as domain controller) we have the following new options:
108 "allow nt4 crypto" (no by default), "reject md5 client" (no by default).
109 E.g. in order to allow Samba < 3.0.27 or NT4 members to work
110 you need "allow nt4 crypto = yes"
112 winbindd does not list group memberships for display purposes
113 (e.g. getent group <domain\<group>) anymore by default.
114 The new default is "winbind expand groups = 0" now,
115 the reason for this is the same as for "winbind enum users = no"
116 and "winbind enum groups = no". Providing this information is not always
117 reliably possible, e.g. if there are trusted domains.
119 Please consult the smb.conf manpage for more details on these new options.
121 Winbindd use on the Samba AD DC
122 ===============================
124 Winbindd is now used on the Samba AD DC by default, replacing the
125 partial rewrite used for winbind operations in Samba 4.0 and 4.1.
127 This allows more code to be shared, more options to be honoured, and
128 paves the way for support for trusted domains in the AD DC.
130 If required the old internal winbind can be activated by setting
131 'server services = +winbind -winbindd'. Upgrading users with a server
132 services parameter specified should ensure they change 'winbind' to
133 'winbindd' to obtain the new functionality.
135 The 'samba' binary still manages the starting of this service, there
136 is no need to start the winbindd binary manually.
138 Winbind now requires secured connections
139 ========================================
141 To improve protection against rogue domain controllers we now require
142 that when we connect to an AD DC in our forest, that the connection be
143 signed using SMB Signing. Set 'client signing = off' in the smb.conf
146 Also and DCE/RPC pipes must be sealed, set 'require strong key =
147 false' and 'winbind sealed pipes = false' to disable.
149 Finally, the default for 'client ldap sasl wrapping' has been set to
150 'sign', to ensure the integrity of LDAP connections. Set 'client ldap
151 sasl wrapping = plain' to disable.
153 Larger IO sizes for SMB2/3 by default
154 =====================================
156 The default values for "smb2 max read", "smb2 max write" and "smb2 max trans"
157 have been changed to 8388608 (8MiB) in order to match the default of
163 The SMB2 protocol allows clients to aggressively cache files
164 locally above and beyond the caching allowed by SMB1 and SMB2 oplocks.
166 Called SMB2 leases, this can greatly reduce traffic on an SMB2
167 connection. Samba 4.2 now implements SMB2 leases.
169 It can be turned on by setting the parameter "smb2 leases = yes"
170 in the [global] section of your smb.conf. This parameter is set
171 to off by default until the SMB2 leasing code is declared fully stable.
173 Improved DCERPC man in the middle detection
174 ===========================================
176 The DCERPC header signing has been implemented
177 in addition to the dcerpc_sec_verification_trailer
180 Overhauled "net idmap" command
181 ==============================
183 The command line interface of the "net idmap" command has been
184 made systematic, and subcommands for reading and writing the autorid idmap
185 database have been added. Note that the writing commands should be
186 used with great care. See the net(8) manual page for details.
191 The tdb library, our core mechanism to store Samba-specific data on disk and
192 share it between processes, has been improved to support process shared robust
193 mutexes on Linux. These mutexes are available on Linux and Solaris and
194 significantly reduce the overhead involved with tdb. To enable mutexes for
197 dbwrap_tdb_mutexes:* = yes
199 in the [global] section of your smb.conf.
201 Tdb file space management has also been made more efficient. This
202 will lead to smaller and less fragmented databases.
204 Messaging improvements
205 ======================
207 Our internal messaging subsystem, used for example for things like oplock
208 break messages between smbds or setting a process debug level dynamically, has
209 been rewritten to use unix domain datagram messages.
214 Samba's file server clustering component CTDB is now integrated in the
215 Samba tree. This avoids the confusion of compatibility of Samba and CTDB
216 versions as existed previously.
218 To build the Samba file server with cluster support, use the configure
219 command line option --with-cluster-support. This will build clustered
220 file server against the in-tree CTDB and will also build CTDB.
221 Building clustered samba with previous versions of CTDB is no longer
224 Samba Registry Editor
225 =====================
227 The utitlity to browse the samba registry has been overhauled by our Google
228 Summer of Code student Chris Davis. Now samba-regedit has a
229 Midnight-Commander-like theme and UI experience. You can browse keys and edit
230 the diffent value types. For a data value type a hexeditor has been
233 Bad Password Lockout in the AD DC
234 =================================
236 Samba's AD DC now implements bad password lockout (on a per-DC basis).
238 That is, incorrect password attempts are tracked, and accounts locked
239 out if too many bad passwords are submitted. There is also a grace
240 period of 60 minutes on the previous password when used for NTLM
241 authentication (matching Windows 2003 SP1: https://support2.microsoft.com/kb/906305).
243 The relevant settings can be seen using 'samba-tool domain
244 passwordsettings show' (the new settings being highlighted):
246 Password informations for domain 'DC=samba,DC=example,DC=com'
248 Password complexity: on
249 Store plaintext passwords: off
250 Password history length: 24
251 Minimum password length: 7
252 Minimum password age (days): 1
253 Maximum password age (days): 42
254 * Account lockout duration (mins): 30 *
255 * Account lockout threshold (attempts): 0 *
256 * Reset account lockout after (mins): 30 *
258 These values can be set using 'samba-tool domain passwordsettings set'.
260 Correct defaults in the smb.conf manpages
261 =========================================
263 The default values for smb.conf parameters are now correctly specified
264 in the smb.conf manpage, even when they refer to build-time specified
265 paths. Provided Samba is built on a system with the right tools
266 (xsltproc in particular) required to generate our man pages, then
267 these will be built with the exact same embedded paths as used by the
268 configuration parser at runtime. Additionally, the default values
269 read from the smb.conf manpage are checked by our test suite to match
270 the values seen in testparm and used by the running binaries.
272 Consistent behaviour between samba-tool testparm and testparm
273 =============================================================
275 With the exception of the registry backend, which remains only
276 available in the file server, the behaviour of the smb.conf parser and
277 the tools 'samba-tool testparm' and 'testparm' is now consistent,
278 particularly with regard to default values. Except with regard to
279 registry shares, it is no longer needed to use one tool on the AD
280 DC, and another on the file server.
285 A VFS module for basic WORM (Write once read many) support has been
286 added. It allows an additional layer on top of a Samba share, that provides
287 a basic set of WORM functionality on the client side, to control the
288 writeability of files and folders.
290 As the module is simply an additional layer, share access and permissions
291 work like expected - only WORM functionality is added on top. Removing the
292 module from the share configuration, removes this layer again. The
293 filesystem ACLs are not affected in any way from the module and treated
296 The module does not provide complete WORM functions, like some archiving
297 products do! It is not audit-proof, because the WORM function is only
298 available on the client side, when accessing a share through SMB! If
299 the same folder is shared by other services like NFS, the access only
300 depends on the underlying filesystem ACLs. Equally if you access the
301 content directly on the server.
303 For additional information, see
304 https://wiki.samba.org/index.php/VFS/vfs_worm
306 vfs_fruit, a VFS module for OS X clients
307 ========================================
309 A new VFS module that provides enhanced compatibility with Apple SMB
310 clients and interoperability with a Netatalk 3 AFP fileserver.
312 The module features enhanced performance with reliable named streams
313 support, interoperability with special characters commonly used by OS
314 X client (eg '*', '/'), integrated file locking and Mac metadata
315 access with Netatalk 3 and enhanced performance by implementing
316 Apple's SMB2 extension codenamed "AAPL".
318 The modules behaviour is fully configurable, please refer to the
319 manpage vfs_fruit for further details.
321 smbclient archival improvements
322 ===============================
324 Archive creation and extraction support in smbclient has been rewritten
325 to use libarchive. This fixes a number of outstanding bugs in Samba's
326 previous custom tar implementation and also adds support for the
327 extraction of zipped archives.
328 smbclient archive support can be enabled or disabled at build time with
329 corresponding --with[out]-libarchive configure parameters.
332 ######################################################################
339 Parameter Name Description Default
340 -------------- ----------- -------
342 allow nt4 crypto New no
343 neutralize nt4 emulation New no
344 reject md5 client New no
345 reject md5 servers New no
346 require strong key New yes
347 smb2 max read Changed default 8388608
348 smb2 max write Changed default 8388608
349 smb2 max trans Changed default 8388608
350 winbind expand groups Changed default 0
353 CHANGES SINCE 4.2.0rc5
354 ======================
356 o Michael Adam <obnox@samba.org>
357 * BUG 11117: doc:man:vfs_glusterfs: improve the configuration section.
360 o Jeremy Allison <jra@samba.org>
361 * BUG 11118: tevent: Ignore unexpected signal events in the same way the
365 o Andrew Bartlett <abartlet@samba.org>
366 * BUG 11100: debug: Set close-on-exec for the main log file FD.
367 * BUG 11097: Fix Win8.1 Credentials Manager issue after KB2992611 on Samba
371 o Ira Cooper <ira@samba.org>
372 * BUG 1115: smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT.
375 o Günther Deschner <gd@samba.org>
376 * BUG 11088: vfs: Add a brief vfs_ceph manpage.
379 o David Disseldorp <ddiss@samba.org>
380 * BUG 11118: tevent: version 0.9.24.
383 o Amitay Isaacs <amitay@gmail.com>
384 * BUG 11124: ctdb-io: Do not use sys_write to write to client sockets.
387 o Volker Lendecke <vl@samba.org>
388 * BUG 11119: snprintf: Try to support %j.
391 o Garming Sam <garming@catalyst.net.nz>
392 * BUG 11097: Fix Win8.1 Credentials Manager issue after KB2992611 on Samba
396 o Andreas Schneider <asn@samba.org>
397 * BUG 11127: doc-xml: Add 'sharesec' reference to 'access based share
401 CHANGES SINCE 4.2.0rc4
402 ======================
404 o Michael Adam <obnox@samba.org>
405 * BUG 11032: Enable mutexes in gencache_notrans.tdb.
406 * BUG 11058: cli_connect_nb_send: Don't segfault on host == NULL.
409 o Jeremy Allison <jra@samba.org>
410 * BUG 10849: s3: lib, s3: modules: Fix compilation on Solaris.
411 * BUG 11044: Fix authentication using Kerberos (not AD).
412 * BUG 11077: CVE-2015-0240: s3: netlogon: Ensure we don't call talloc_free
413 on an uninitialized pointer.
414 * BUG 11094: s3: smbclient: Allinfo leaves the file handle open.
415 * BUG 11102: s3: smbd: leases - losen paranoia check. Stat opens can grant
417 * BUG 11104: s3: smbd: SMB2 close. If a file has delete on close, store the
418 return info before deleting.
421 o Ira Cooper <ira@samba.org>
422 * BUG 11069: vfs_glusterfs: Add comments to the pipe(2) code.
425 o Günther Deschner <gd@samba.org>
426 * BUG 11070: s3-vfs: Fix developer build of vfs_ceph module.
429 o David Disseldorp <ddiss@samba.org>
430 * BUG 10808: printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD.
431 * BUG 11055: vfs_snapper: Correctly handles multi-byte DBus strings.
432 * BUG 11059: libsmb: Provide authinfo domain for encrypted session
436 o Poornima G <pgurusid@redhat.com>
437 * BUG 11069: vfs_glusterfs: Implement AIO support.
440 o Volker Lendecke <vl@samba.org>
441 * BUG 11032: Enable mutexes in gencache_notrans.tdb.
444 o Stefan Metzmacher <metze@samba.org>
445 * BUG 9299: nsswitch: Fix soname of linux nss_*.so.2 modules.
446 * BUG 9702: s3:smb2_server: protect against integer wrap with "smb2 max
448 * BUG 9810: Make validate_ldb of String(Generalized-Time) accept
449 millisecond format ".000Z".
450 * BUG 10112: Use -R linker flag on Solaris, not -rpath.
453 o Marc Muehlfeld <mmuehlfeld@samba.org>
454 * BUG 10909: samba-tool: Create NIS enabled users and unixHomeDirectory
458 o Garming Sam <garming@catalyst.net.nz>
459 * BUG 11022: Make Sharepoint search show user documents.
462 o Christof Schmitt <cs@samba.org>
463 * BUG 11032: Enable mutexes in gencache_notrans.tdb.
466 o Andreas Schneider <asn@samba.org>
467 * BUG 11058: utils: Fix 'net time' segfault.
468 * BUG 11066: s3-pam_smbpass: Fix memory leak in pam_sm_authenticate().
469 * BUG 11077: CVE-2015-0240: s3-netlogon: Make sure we do not deference a
473 o Raghavendra Talur <raghavendra.talur@gmail.com>
474 * BUG 11069: vfs/glusterfs: Change xattr key to match gluster key.
477 CHANGES SINCE 4.2.0rc3
478 ======================
480 o Andrew Bartlett <abartlet@samba.org>
481 * BUG 10993: CVE-2014-8143: dsdb-samldb: Check for extended access
482 rights before we allow changes to userAccountControl.
485 o Günther Deschner <gd@samba.org>
486 * BUG 10240: vfs: Add glusterfs manpage.
489 o David Disseldorp <ddiss@samba.org>
490 * BUG 10984: Fix spoolss IDL response marshalling when returning error
491 without clearing info.
494 o Amitay Isaacs <amitay@gmail.com>
495 * BUG 11000: ctdb-daemon: Use correct tdb flags when enabling robust mutex
499 o Volker Lendecke <vl@samba.org>
500 * BUG 11032: tdb_wrap: Make mutexes easier to use.
501 * BUG 11039: vfs_fruit: Fix base_fsp name conversion.
502 * BUG 11040: vfs_fruit: mmap under FreeBSD needs PROT_READ.
503 * BUG 11051: net: Fix sam addgroupmem.
506 o Stefan Metzmacher <metze@samba.org>
507 * BUG 10940: s3:passdb: fix logic in pdb_set_pw_history().
508 * BUG 11004: tdb: version 1.3.4.
511 o Christof Schmitt <cs@samba.org>
512 * BUG 11034: winbind: Retry after SESSION_EXPIRED error in ping-dc.
515 o Andreas Schneider <asn@samba.org>
516 * BUG 11008: s3-util: Fix authentication with long hostnames.
517 * BUG 11026: nss_wrapper: check for nss.h.
518 * BUG 11033: lib/util: Avoid collision which alread defined consumer DEBUG
520 * BUG 11037: s3-libads: Fix a possible segfault in kerberos_fetch_pac().
523 CHANGES SINCE 4.2.0rc2
524 ======================
526 o Michael Adam <obnox@samba.org>
527 * BUG 10892: Integrate CTDB into top-level Samba build.
530 o Jeremy Allison <jra@samba.org>
531 * BUG 10851: lib: uid_wrapper: Fix setgroups and syscall detection on a
532 system without native uid_wrapper library.
533 * BUG 10896: s3-nmbd: Fix netbios name truncation.
534 * BUG 10904: Fix smbclient loops doing a directory listing against Mac OS X 10
535 server with a non-wildcard path.
536 * BUG 10911: Add support for SMB2 leases.
537 * BUG 10920: s3: nmbd: Ensure NetBIOS names are only 15 characters stored.
538 * BUG 10966: libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a
540 * BUG 10982: s3: smbd: Fix *allocate* calls to follow POSIX error return
544 o Christian Ambach <ambi@samba.org>
545 * BUG 9629: Make 'profiles' work again.
548 o Björn Baumbach <bb@sernet.de>
549 * BUG 11014: ctdb-build: Fix build without xsltproc.
552 o Ralph Boehme <slow@samba.org>
553 * BUG 10834: Don't build vfs_snapper on FreeBSD.
554 * BUG 10971: vfs_streams_xattr: Check stream type.
555 * BUG 10983: vfs_fruit: Add support for AAPL.
556 * BUG 11005: vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT.
559 o Günther Deschner <gd@samba.org>
560 * BUG 9056: pam_winbind: fix warn_pwd_expire implementation.
561 * BUG 10942: Cleanup add_string_to_array and usage.
564 o David Disseldorp <ddiss@samba.org>
565 * BUG 10898: spoolss: Fix handling of bad EnumJobs levels.
566 * BUG 10905: Fix print job enumeration.
569 o Amitay Isaacs <amitay@gmail.com>
570 * BUG 10620: s4-dns: Add support for BIND 9.10.
571 * BUG 10892: Integrate CTDB into top-level Samba build.
572 * BUG 10996: Fix IPv6 support in CTDB.
573 * BUG 11014: packaging: Include CTDB man pages in the tarball.
576 o Björn Jacke <bj@sernet.de>
577 * BUG 10835: nss_winbind: Add getgroupmembership for FreeBSD.
580 o Guenter Kukkukk <linux@kukkukk.com>
581 * BUG 10952: Fix 'samba-tool dns serverinfo <server>' for IPv6.
584 o Volker Lendecke <vl@samba.org>
585 * BUG 10932: pdb_tdb: Fix a TALLOC/SAFE_FREE mixup.
586 * BUG 10942: dbwrap_ctdb: Pass on mutex flags to tdb_open.
589 o Justin Maggard <jmaggard10@gmail.com>
590 * BUG 10852: winbind3: Fix pwent variable substitution.
593 o Kamen Mazdrashki <kamenim@samba.org>
594 * BUG 10975: ldb: version 1.1.18
597 o Stefan Metzmacher <metze@samba.org>
598 * BUG 10781: tdb: version 1.3.3
599 * BUG 10911: Add support for SMB2 leases.
600 * BUG 10921: s3:smbd: Fix file corruption using "write cache size != 0".
601 * BUG 10949: Fix RootDSE search with extended dn control.
602 * BUG 10958: libcli/smb: only force signing of smb2 session setups when
603 binding a new session.
604 * BUG 10975: ldb: version 1.1.18
605 * BUG 11016: pdb_get_trusteddom_pw() fails with non valid UTF16 random
609 o Marc Muehlfeld <mmuehlfeld@samba.org>
610 * BUG 10895: samba-tool group add: Add option '--nis-domain' and '--gid'.
613 o Noel Power <noel.power@suse.com>
614 * BUG 10918: btrfs: Don't leak opened directory handle.
617 o Matt Rogers <mrogers@redhat.com>
618 * BUG 10933: s3-keytab: fix keytab array NULL termination.
621 o Garming Sam <garming@catalyst.net.nz>
622 * BUG 10355: pdb: Fix build issues with shared modules.
623 * BUG 10720: idmap: Return the correct id type to *id_to_sid methods.
624 * BUG 10864: Fix testparm to show hidden share defaults.
627 o Andreas Schneider <asn@samba.org>
628 * BUG 10279: Make 'smbclient' use cached creds.
629 * BUG 10960: s3-smbclient: Return success if we listed the shares.
630 * BUG 10961: s3-smbstatus: Fix exit code of profile output.
631 * BUG 10965: socket_wrapper: Add missing prototype check for eventfd.
634 o Martin Schwenke <martin@meltin.net>
635 * BUG 10892: Integrate CTDB into top-level Samba build.
636 * BUG 10996: Fix IPv6 support in CTDB.
639 CHANGES SINCE 4.2.0rc1
640 ======================
642 o Jeremy Allison <jra@samba.org>
643 * BUG 10848: s3: smb2cli: query info return length check was reversed.
646 o Björn Baumbach <bb@sernet.de>
647 * BUG 10862: build: Do not install 'texpect' binary anymore.
650 o Chris Davis <cd.rattan@gmail.com>
651 * BUG 10859: Improve samba-regedit.
654 o Jakub Hrozek <jakub.hrozek@gmail.com>
655 * BUG 10861: Fix build of socket_wrapper on systems without SO_PROTOCOL.
658 o Volker Lendecke <vl@samba.org>
659 * BUG 10860: registry: Don't leave dangling transactions.
662 o Stefan Metzmacher <metze@samba.org>
663 * BUG 10866: libcli/smb: Fix smb2cli_validate_negotiate_info with
664 min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02.
667 o Christof Schmitt <cs@samba.org>
668 * BUG 10837: idmap_rfc2307: Fix a crash after connection problem to DC.
671 #######################################
672 Reporting bugs & Development Discussion
673 #######################################
675 Please discuss this release on the samba-technical mailing list or by
676 joining the #samba-technical IRC channel on irc.freenode.net.
678 If you do report problems then please try to send high quality
679 feedback. If you don't provide vital information to help us track down
680 the problem then you will probably be ignored. All bug reports should
681 be filed under the Samba 4.2 product in the project's Bugzilla
682 database (https://bugzilla.samba.org/).
685 ======================================================================
686 == Our Code, Our Bugs, Our Responsibility.
688 ======================================================================