4 This is the second release candidate of Samba 4.8. This is *not*
5 intended for production environments and is designed for testing
6 purposes only. Please report any defects via the Samba bug reporting
7 system at https://bugzilla.samba.org/.
9 Samba 4.8 will be the next version of the Samba suite.
22 Adds Group Policy support for the Samba kdc. Applies password policies
23 (minimum/maximum password age, minimum password length, and password
24 complexity) and kerberos policies (user/service ticket lifetime and
27 Adds the samba_gpoupdate script for applying and unapplying
28 policy. Can be applied automatically by setting
30 'apply group policies = yes'.
32 Time Machine Support with vfs_fruit
33 -----------------------------------
35 Samba can be configured as a Time Machine target for Apple Mac devices
36 through the vfs_fruit module. When enabling a share for Time Machine
37 support the relevant Avahi records to support discovery will be published
38 for installations that have been built against the Avahi client library.
40 Shares can be designated as a Time Machine share with the following setting:
42 'fruit:time machine = yes'
44 Support for lower casing the MDNS Name
45 --------------------------------------
47 Allows the server name that is advertised through MDNS to be set to the
48 hostname rather than the Samba NETBIOS name. This allows an administrator
49 to make Samba registered MDNS records match the case of the hostname
50 rather than being in all capitals.
52 This can be set with the following settings:
59 Attributes deemed to be sensitive are now encrypted on disk. The sensitive
62 msDS-ExecuteScriptPassword
70 supplementalCredentials
76 This encryption is enabled by default on a new provision or join, it
77 can be disabled at provision or join time with the new option
78 '--plaintext-secrets'.
80 However, an in-place upgrade will not encrypt the database.
82 Once encrypted, it is not possible to do an in-place downgrade (eg to
83 4.7) of the database. To obtain an unencrypted copy of the database a
84 new DC join should be performed, specifying the '--plaintext-secrets'
87 The key file "encrypted_secrets.key" is created in the same directory
88 as the database and should NEVER be disclosed. It is included by the
91 NT4-style replication based net commands removed
92 ------------------------------------------------
94 The following commands and sub-commands have been removed from the
100 Also, replicating from a real NT4 domain with "net rpc vampire" and
101 "net rpc vampire keytab" has been removed.
103 The NT4-based commands were accidentially broken in 2013, and nobody
104 noticed the breakage. So instead of fixing them including tests (which
105 would have meant writing a server for the protocols, which we don't
106 have) we decided to remove them.
108 For the same reason, the "samsync", "samdeltas" and "database_redo"
109 commands have been removed from rpcclient.
111 "net rpc vampire keytab" from Active Directory domains continues to be
114 vfs_aio_linux module removed
115 ----------------------------
117 The current Linux kernel aio does not match what Samba would
118 do. Shipping code that uses it leads people to false
119 assumptions. Samba implements async I/O based on threads by default,
120 there is no special module required to see benefits of read and write
121 request being sent do the disk in parallel.
123 smbclient reparse point symlink parameters reversed
124 ---------------------------------------------------
126 A bug in smbclient caused the 'symlink' command to reverse the
127 meaning of the new name and link target parameters when creating a
128 reparse point symlink against a Windows server. As this is a
129 little used feature the ordering of these parameters has been
130 reversed to match the parameter ordering of the UNIX extensions
131 'symlink' command. The usage message for this command has also
132 been improved to remove confusion.
137 The dependency to global list of trusted domains within
138 the winbindd processes has been reduced a lot.
140 The construction of that global list is not reliable and often
141 incomplete in complex trust setups. In most situations the list is not needed
142 any more for winbindd to operate correctly. E.g. for plain file serving via SMB
143 using a simple idmap setup with autorid, tdb or ad. However some more complex
144 setups require the list, e.g. if you specify idmap backends for specific
145 domains. Some pam_winbind setups may also require the global list.
147 If you have a setup that doesn't require the global list, you should set
148 "winbind scan trusted domains = no".
150 VirusFilter VFS module
151 ----------------------
153 This new module integrates with Sophos, F-Secure and ClamAV anti-virus
154 software to provide scanning and filtering of files on a Samba share.
160 The two commands 'net serverid list' and 'net serverid wipe' have been
161 removed, because the file serverid.tdb is not used anymore.
163 'net serverid list' can be replaced by listing all files in the
164 subdirectory "msg.lock" of Samba's "lock directory". The unique id
165 listed by 'net serverid list' is stored in every process' lockfile in
168 'net serverid wipe' is not necessary anymore. It was meant primarily
169 for clustered environments, where the serverid.tdb file was not
170 properly cleaned up after single node crashes. Nowadays smbd and
171 winbind take care of cleaning up the msg.lock and msg.sock directories
178 Parameter Name Description Default
179 -------------- ----------- -------
180 apply group policies New no
183 client schannel Default changed/ yes
185 gpo update command New
186 ldap ssl ads Deprecated
187 map untrusted to domain Removed
188 oplock contention limit Removed
189 prefork children New 1
190 mdns name New netbios
191 fruit:time machine New false
194 server schannel Default changed/ yes
197 winbind scan trusted domains New yes
198 winbind trusted domains only Removed
201 CHANGES SINCE 4.8.0rc1
202 ======================
204 o Günther Deschner <gd@samba.org>
205 * BUG 13227: packaging: Fix default systemd-dir path.
206 * BUG 13238: build: Deal with recent glibc sunrpc header removal.
208 o Stefan Metzmacher <metze@samba.org>
209 * BUG 13228: repl_meta_data: fix linked attribute corruption on databases
210 with unsorted links on expunge.
212 o Christof Schmitt <cs@samba.org>
213 * BUG 13217: s3/smbd: Remove file system sharemode before calling unlink.
215 o Andreas Schneider <asn@samba.org>
216 * BUG 13209: Small improvements in winbindd for the resource cleanup in error
218 * BUG 13238: Make Samba work with tirpc and libnsl2.
224 https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.8#Release_blocking_bugs
227 #######################################
228 Reporting bugs & Development Discussion
229 #######################################
231 Please discuss this release on the samba-technical mailing list or by
232 joining the #samba-technical IRC channel on irc.freenode.net.
234 If you do report problems then please try to send high quality
235 feedback. If you don't provide vital information to help us track down
236 the problem then you will probably be ignored. All bug reports should
237 be filed under the Samba 4.1 and newer product in the project's Bugzilla
238 database (https://bugzilla.samba.org/).
241 ======================================================================
242 == Our Code, Our Bugs, Our Responsibility.
244 ======================================================================