4 This is the fourth release candidate of Samba 4.7. This is *not*
5 intended for production environments and is designed for testing
6 purposes only. Please report any defects via the Samba bug reporting
7 system at https://bugzilla.samba.org/.
9 Samba 4.7 will be the next version of the Samba suite.
18 'smbclient' no longer prints a 'Domain=[...] OS=[Windows 6.1] Server=[...]'
19 banner when connecting to the first server. With SMB2 and Kerberos,
20 there's no way to print this information reliably. Now we avoid it at all
21 consistently. In interactive sessions the following banner is now presented
22 to the user: 'Try "help" do get a list of possible commands.'.
24 The default for "client max protocol" has changed to "SMB3_11",
25 which means that smbclient (and related commands) will work against
26 servers without SMB1 support.
28 It's possible to use the '-m/--max-protocol' option to overwrite
29 the "client max protocol" option temporarily.
31 Note that the '-e/--encrypt' option also works with most SMB3 servers
32 (e.g. Windows >= 2012 and Samba >= 4.0.0), so the SMB1 unix extensions
33 are not required for encryption.
35 The change to SMB3_11 as default also means smbclient no longer
36 negotiates SMB1 unix extensions by default, when talking to a Samba server with
37 "unix extensions = yes". As a result, some commands are not available, e.g.
38 'posix_encrypt', 'posix_open', 'posix_mkdir', 'posix_rmdir', 'posix_unlink',
39 'posix_whoami', 'getfacl' and 'symlink'. Using "-mNT1" reenables them, if the
42 Note the default ("CORE") for "client min protocol" hasn't changed,
43 so it's still possible to connect to SMB1-only servers by default.
45 'smbclient' learned a new command "deltree" that is able to do
46 a recursive deletion of a directory tree.
52 Whole DB read locks: Improved LDAP and replication consistency
53 --------------------------------------------------------------
55 Prior to Samba 4.7 and ldb 1.2.0, the LDB database layer used by Samba
56 erronously did not take whole-DB read locks to protect search
57 and DRS replication operations.
59 While each object returned remained subject to a record-level lock (so
60 would remain consistent to itself), under a race condition with a
61 rename or delete, it and any links (like the member attribute) to it
62 would not be returned.
64 The symptoms of this issue include:
66 Replication failures with this error showing in the client side logs:
67 error during DRS repl ADD: No objectClass found in replPropertyMetaData for
68 Failed to commit objects:
69 WERR_GEN_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
71 A crash of the server, in particular the rpc_server process with
72 INTERNAL ERROR: Signal 11
74 LDAP read inconsistency
75 A DN subject to a search at the same time as it is being renamed
76 may not appear under either the old or new name, but will re-appear
77 for a subsequent search.
79 See https://bugzilla.samba.org/show_bug.cgi?id=12858 for more details
80 and updated advise on database recovery for affected installations.
82 Samba AD with MIT Kerberos
83 --------------------------
85 After four years of development, Samba finally supports compiling and
86 running Samba AD with MIT Kerberos. You can enable it with:
88 ./configure --with-system-mitkrb5
90 Samba requires version 1.15.1 of MIT Kerberos to build with AD DC support.
91 The krb5-devel and krb5-server packages are required.
92 The feature set is not on par with the Heimdal build but the most important
93 things, like forest and external trusts, are working. Samba uses the KDC binary
94 provided by MIT Kerberos.
96 Missing features, compared to Heimdal, are:
98 * S4U2SELF/S4U2PROXY support
99 * RODC support (not fully working with Heimdal either)
101 The Samba AD process will take care of starting the MIT KDC and it will load a
102 KDB (Kerberos Database) driver to access the Samba AD database. When
103 provisioning an AD DC using 'samba-tool' it will take care of creating a correct
104 kdc.conf file for the MIT KDC.
106 Dynamic RPC port range
107 ----------------------
109 The dynamic port range for RPC services has been changed from the old default
110 value "1024-1300" to "49152-65535". This port range is not only used by a
111 Samba AD DC, but also applies to all other server roles including NT4-style
112 domain controllers. The new value has been defined by Microsoft in Windows
113 Server 2008 and newer versions. To make it easier for Administrators to control
114 those port ranges we use the same default and make it configurable with the
115 option: "rpc server dynamic port range".
117 The "rpc server port" option sets the first available port from the new
118 "rpc server dynamic port range" option. The option "rpc server port" only
119 applies to Samba provisioned as an AD DC.
121 Authentication and Authorization audit support
122 ----------------------------------------------
124 Detailed authentication and authorization audit information is now
125 logged to Samba's debug logs under the "auth_audit" debug class,
126 including in particular the client IP address triggering the audit
127 line. Additionally, if Samba is compiled against the jansson JSON
128 library, a JSON representation is logged under the "auth_json_audit"
131 Audit support is comprehensive for all authentication and
132 authorisation of user accounts in the Samba Active Directory Domain
133 Controller, as well as the implicit authentication in password
134 changes. In the file server and classic/NT4 domain controller, NTLM
135 authentication, SMB and RPC authorization is covered, however password
136 changes are not at this stage, and this support is not currently
137 backed by a testsuite.
139 Multi-process LDAP Server
140 -------------------------
142 The LDAP server in the AD DC now honours the process model used for
143 the rest of the 'samba' process, rather than being forced into a single
144 process. This aids in Samba's ability to scale to larger numbers of AD
145 clients and the AD DC's overall resiliency, but will mean that there is a
146 fork()ed child for every LDAP client, which may be more resource
147 intensive in some situations.
149 Improved Read-Only Domain Controller (RODC) Support
150 ---------------------------------------------------
152 Support for RODCs in Samba AD until now has been experimental. With this latest
153 version, many of the critical bugs have been fixed and the RODC can be used in
154 DC environments requiring no writable behaviour. RODCs now correctly support
155 bad password lockouts and password disclosure auditing through the
156 msDS-RevealedUsers attribute.
158 The fixes made to the RWDC will also allow Windows RODC to function more
159 correctly and to avoid strange data omissions such as failures to replicate
160 groups or updated passwords. Password changes are currently rejected at the
161 RODC, although referrals should be given over LDAP. While any bad passwords can
162 trigger domain-wide lockout, good passwords which have not been replicated yet
163 for a password change can only be used via NTLM on the RODC (and not Kerberos).
165 The reliability of RODCs locating a writable partner still requires some
166 improvements and so the 'password server' configuration option is generally
167 recommended on the RODC.
169 Additional password hashes stored in supplementalCredentials
170 ------------------------------------------------------------
172 A new config option 'password hash userPassword schemes' has been added to
173 enable generation of SHA-256 and SHA-512 hashes (without storing the plaintext
174 password with reversible encryption). This builds upon previous work to improve
175 password sync for the AD DC (originally using GPG).
177 The user command of 'samba-tool' has been updated in order to be able to
178 extract these additional hashes, as well as extracting the (HTTP) WDigest
179 hashes that we had also been storing in supplementalCredentials.
181 Improvements to DNS during Active Directory domain join
182 -------------------------------------------------------
184 The 'samba-tool' domain join command will now add the A and GUID DNS records
185 (on both the local and remote servers) during a join if possible via RPC. This
186 should allow replication to proceed more smoothly post-join.
188 The mname element of the SOA record will now also be dynamically generated to
189 point to the local read-write server. 'samba_dnsupdate' should now be more
190 reliable as it will now find the appropriate name server even when resolv.conf
191 points to a forwarder.
193 Significant AD performance and replication improvements
194 -------------------------------------------------------
196 Previously, replication of group memberships was been an incredibly expensive
197 process for the AD DC. This was mostly due to unnecessary CPU time being spent
198 parsing member linked attributes. The database now stores these linked
199 attributes in sorted form to perform efficient searches for existing members.
200 In domains with a large number of group memberships, a join can now be
201 completed in half the time compared with Samba 4.6.
203 LDAP search performance has also improved, particularly in the unindexed search
204 case. Parsing and processing of security descriptors should now be more
205 efficient, improving replication but also overall performance.
207 Query record for open file or directory
208 ---------------------------------------
210 The record attached to an open file or directory in Samba can be
211 queried through the 'net tdb locking' command. In clustered Samba this
212 can be useful to determine the file or directory triggering
213 corresponding "hot" record warnings in ctdb.
215 Removal of lpcfg_register_defaults_hook()
216 -----------------------------------------
218 The undocumented and unsupported function lpcfg_register_defaults_hook()
219 that was used by external projects to call into Samba and modify
220 smb.conf default parameter settings has been removed. If your project
221 was using this call please raise the issue on
222 samba-technical@lists.samba.org in order to design a supported
223 way of obtaining the same functionality.
225 Change of loadable module interface
226 -----------------------------------
228 The _init function of all loadable modules in Samba has changed
231 NTSTATUS _init(void);
235 NTSTATUS _init(TALLOC_CTX *);
237 This allows a program loading a module to pass in a long-lived
238 talloc context (which must be guaranteed to be alive for the
239 lifetime of the module). This allows modules to avoid use of
240 the talloc_autofree_context() (which is inherently thread-unsafe)
241 and still be valgrind-clean on exit. Modules that don't need to
242 free long-lived data on exit should use the NULL talloc context.
247 * CTDB no longer allows mixed minor versions in a cluster
249 See the AllowMixedVersions tunable option in ctdb-tunables(7) and also
250 https://wiki.samba.org/index.php/Upgrading_a_CTDB_cluster#Policy
252 * CTDB now ignores hints from Samba about TDB flags when attaching to databases
254 CTDB will use the correct flags depending on the type of database.
255 For clustered databases, the smb.conf setting
256 dbwrap_tdb_mutexes:*=true will be ignored. Instead, CTDB continues
257 to use the TDBMutexEnabled tunable.
259 * New configuration variable CTDB_NFS_CHECKS_DIR
261 See ctdbd.conf(5) for more details.
263 * The CTDB_SERVICE_AUTOSTARTSTOP configuration variable has been
266 To continue to manage/unmanage services while CTDB is running:
268 - Start service by hand and then flag it as managed
270 - Mark service as unmanaged and shut it down by hand
272 - In some cases CTDB does something fancy - e.g. start Samba under
273 "nice", so care is needed. One technique is to disable the
274 eventscript, mark as managed, run the startup event by hand and then
275 re-enable the eventscript.
277 * The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed
279 * The example NFS Ganesha call-out has been improved
281 * A new "replicated" database type is available
283 Replicated databases are intended for CTDB's internal use to
284 replicate state data across the cluster, but may find other
285 uses. The data in replicated databases is valid for the lifetime of
286 CTDB and cleared on first attach.
291 The "strict sync" global parameter has been changed from
292 a default of "no" to "yes". This means smbd will by default
293 obey client requests to synchronize unwritten data in operating
294 system buffers safely onto disk. This is a safer default setting
295 for modern SMB1/2/3 clients.
297 The 'ntlm auth' option default is renamed to 'ntlmv2-only', reflecting
298 the previous behaviour. Two new values have been provided,
299 'mschapv2-and-ntlmv2-only' (allowing MSCHAPv2 while denying NTLMv1)
300 and 'disabled', totally disabling NTLM authentication and password
307 Parameter Name Description Default
308 -------------- ----------- -------
309 allow unsafe cluster upgrade New parameter no
310 auth event notification New parameter no
311 auth methods Deprecated
312 client max protocol Effective SMB3_11
314 map untrusted to domain New value/ auto
317 mit kdc command New parameter
318 profile acls Deprecated
319 rpc server dynamic port range New parameter 49152-65535
320 strict sync Default changed yes
321 password hash userPassword schemes New parameter
322 ntlm auth New values ntlmv2-only
328 https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.7#Release_blocking_bugs
331 CHANGES SINCE 4.7.0rc3
332 ======================
334 o Jeremy Allison <jra@samba.org>
335 * BUG 12913: Implement cli_smb2_setatr() by calling cli_smb2_setpathinfo().
337 o Andrew Bartlett <abartlet@samba.org>
338 * BUG 11392: s4-cldap/netlogon: Match Windows 2012R2 and return
339 NETLOGON_NT_VERSION_5 when version unspecified.
340 * BUG 12855: dsdb: Do not force a re-index of sam.ldb on upgrade to 4.7.
341 * BUG 12904: dsdb: Fix dsdb_next_callback to correctly use ldb_module_done()
343 * BUG 12939: s4-rpc_server: Improve debug of new endpoints.
345 o Ralph Boehme <slow@samba.org>
346 * BUG 12791: Fix kernel oplocks issues with named streams.
347 * BUG 12944: vfs_gpfs: Handle EACCES when fetching DOS attributes from xattr.
349 o Bob Campbell <bobcampbell@catalyst.net.nz>
350 * BUG 12842: samdb/cracknames: Support user and service principal as desired
353 o David Disseldorp <ddiss@samba.org>
354 * BUG 12911: vfs_ceph: Fix cephwrap_chdir().
356 o Gary Lockyer <gary@catalyst.net.nz>
357 * BUG 12865: Track machine account ServerAuthenticate3.
359 o Marc Muehlfeld <mmuehlfeld@samba.org>
360 * BUG 12947: python: Fix incorrect kdc.conf parameter name in kerberos.py.
362 o Noel Power <noel.power@suse.com>
363 * BUG 12937: s3/utils: 'smbcacls' failed to detect DIRECTORIES using SMB2
366 o Arvid Requate <requate@univention.de>
367 * BUG 11392: s4-dsdb/netlogon: Allow missing ntver in cldap ping.
369 o Anoop C S <anoopcs@redhat.com>
370 * BUG 12936: source3/client: Fix typo in help message displayed by default.
372 o Andreas Schneider <asn@samba.org>
373 * BUG 12930: Fix building with GCC 7.1.1.
376 CHANGES SINCE 4.7.0rc2
377 ======================
379 o Jeremy Allison <jra@samba.org>
380 * BUG 12836: s3: smbd: Fix a read after free if a chained SMB1 call goes
382 * BUG 12899: s3: libsmb: Reverse sense of 'clear all attributes', ignore
383 attribute change in SMB2 to match SMB1.
384 * BUG 12914: s3: smbclient: Add new command deltree.
386 o Ralph Boehme <slow@samba.org>
387 * BUG 12885: s3/smbd: Let non_widelink_open() chdir() to directories
389 * BUG 12887: Remove SMB_VFS_STRICT_UNLOCK noop from the VFS.
390 * BUG 12891: Enable TDB mutexes in dbwrap and ctdb.
391 * BUG 12897: vfs_fruit: don't use MS NFS ACEs with Windows clients.
392 * BUG 12910: s3/notifyd: Ensure notifyd doesn't return from
395 o Alexander Bokovoy <ab@samba.org>
396 * BUG 12905: Build py3 versions of other rpc modules.
398 o Günther Deschner <gd@samba.org>
399 * BUG 12840: vfs_fruit: Add "fruit:model = <modelname>" parametric option.
402 * BUG 12720: idmap_ad: Retry query_user exactly once if we get
405 o Amitay Isaacs <amitay@gmail.com>
406 * BUG 12891: dbwrap_ctdb: Fix calculation of persistent flag.
408 o Thomas Jarosch <thomas.jarosch@intra2net.com>
409 * BUG 12927: s3: libsmb: Fix use-after-free when accessing pointer *p.
411 o Volker Lendecke <vl@samba.org>
412 * BUG 12925: smbd: Fix a connection run-down race condition.
414 o Stefan Metzmacher <metze@samba.org>
415 * tevent: version 0.9.33: make tevent_req_print() more robust against crashes.
417 * BUG 12882: Do not install _ldb_text.py if we have system libldb.
418 * BUG 12890: s3:smbd: consistently use talloc_tos() memory for
419 rpc_pipe_open_interface().
420 * BUG 12900: Fix index out of bound in ldb_msg_find_common_values.
422 o Rowland Penny <rpenny@samba.org>
423 * BUG 12884: Easily edit a users object in AD, as if using 'ldbedit'.
425 o Bernhard M. Wiedemann <bwiedemann@suse.de>
426 * BUG 12906: s3: drop build_env
428 o Andreas Schneider <asn@samba.org>
429 * BUG 12882: waf: Do not install _ldb_text.py if we have system libldb.
431 o Martin Schwenke <martin@meltin.net>
432 * BUG 12898: ctdb-common: Set close-on-exec when creating PID file.
435 CHANGES SINCE 4.7.0rc1
436 ======================
438 o Jeffrey Altman <jaltman@secure-endpoints.com>
439 * BUG 12894: CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
442 #######################################
443 Reporting bugs & Development Discussion
444 #######################################
446 Please discuss this release on the samba-technical mailing list or by
447 joining the #samba-technical IRC channel on irc.freenode.net.
449 If you do report problems then please try to send high quality
450 feedback. If you don't provide vital information to help us track down
451 the problem then you will probably be ignored. All bug reports should
452 be filed under the Samba 4.1 and newer product in the project's Bugzilla
453 database (https://bugzilla.samba.org/).
456 ======================================================================
457 == Our Code, Our Bugs, Our Responsibility.
459 ======================================================================