4 This is the first preview release of Samba 4.12. This is *not*
5 intended for production environments and is designed for testing
6 purposes only. Please report any defects via the Samba bug reporting
7 system at https://bugzilla.samba.org/.
9 Samba 4.12 will be the next version of the Samba suite.
22 Samba's minimum runtime requirement for python was raised to Python
23 3.4 with samba 4.11. Samba 4.12 raises this minimum version to Python
24 3.5 both to access new features and because this is the oldest version
25 we test with in our CI infrastructure.
27 (Build time support for the file server with Python 2.6 has not
30 Removing in-tree cryptography: GnuTLS 3.4.7 required
31 ----------------------------------------------------
33 Samba is making efforts to remove in-tree cryptographic functionality,
34 and to instead rely on externally maintained libraries. To this end,
35 Samba has chosen GnuTLS as our standard cryptographic provider.
37 Samba now requires GnuTLS 3.4.7 to be installed (including development
38 headers at build time) for all configurations, not just the Samba AD
41 Thanks to this work Samba no longer ships an in-tree DES
42 implementation and on GnuTLS 3.6.5 or later Samba will include no
43 in-tree cryptography other than the MD4 hash and that
44 implemented in our copy of Heimdal.
46 Using GnuTLS for SMB3 encryption you will notice huge performance and copy
47 speed improvements. Tests with the CIFS Kernel client from Linux Kernel 5.3
48 show a 3x speed improvement for writing and a 2.5x speed improvement for reads!
50 NOTE WELL: The use of GnuTLS means that Samba will honour the
51 system-wide 'FIPS mode' (a reference to the US FIPS-140 cryptographic
52 standard) and so will not operate in many still common situations if
53 this system-wide parameter is in effect, as many of our protocols rely
54 on outdated cryptography.
56 A future Samba version will mitigate this to some extent where good
57 cryptography effectively wraps bad cryptography, but for now that above
61 "net ads kerberos pac save" and "net eventlog export"
62 -----------------------------------------------------
64 The "net ads kerberos pac save" and "net eventlog export" tools will
65 no longer silently overwrite an existing file during data export. If
66 the filename given exits, an error will be shown.
74 Samba now uses a sentinel value based on utimensat(2) UTIME_OMIT to denote
75 to-be-ignored timestamp variables passed to the SMB_VFS_NTIMES() VFS function.
77 VFS modules can check whether any of the time values inside a struct
78 smb_file_time is to be ignored by calling is_omit_timespec() on the value.
83 The smb.conf parameter "write cache size" has been removed.
85 Since the in-memory write caching code was written, our write path has
86 changed significantly. In particular we have gained very flexible
87 support for async I/O, with the new linux io_uring interface in
88 development. The old write cache concept which cached data in main
89 memory followed by a blocking pwrite no longer gives any improvement
90 on modern systems, and may make performance worse on memory-contrained
91 systems, so this functionality should not be enabled in core smbd
94 In addition, it complicated the write code, which is a performance
97 If required for specialist purposes, it can be recreated as a VFS
100 BIND9_FLATFILE deprecated
101 -------------------------
103 The BIND9_FLATFILE DNS backend is deprecated in this release and will
104 be removed in the future. This was only practically useful on a single
105 domain controller or under expert care and supervision.
107 This release removes the "rndc command" smb.conf parameter, which
108 supported this configuration by writing out a list of DCs permitted to
109 make changes to the DNS Zone and nudging the 'named' server if a new
110 DC was added to the domain. Administrators using BIND9_FLATFILE will
111 need to maintain this manually from now on.
114 Retiring DES encryption types in Kerberos.
115 ------------------------------------------
116 With this release, support for DES encryption types has been removed from
117 Samba, and setting DES_ONLY flag for an account will cause Kerberos
118 authentication to fail for that account (see RFC-6649).
120 Samba-DC: DES keys no longer saved in DB.
121 -----------------------------------------
122 When a new password is set for an account, Samba DC will store random keys
123 in DB instead of DES keys derived from the password. If the account is being
124 migrated to Windbows or to an older version of Samba in order to use DES keys,
125 the password must be reset to make it work.
127 Heimdal-DC: removal of weak-crypto.
128 -----------------------------------
129 Following removal of DES encryption types from Samba, the embedded Heimdal
130 build has been updated to not compile weak crypto code (HEIM_WEAK_CRYPTO).
136 Parameter Name Description Default
137 -------------- ----------- -------
139 nfs4:acedup Changed default merge
141 write cache size Removed
146 https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.12#Release_blocking_bugs
149 #######################################
150 Reporting bugs & Development Discussion
151 #######################################
153 Please discuss this release on the samba-technical mailing list or by
154 joining the #samba-technical IRC channel on irc.freenode.net.
156 If you do report problems then please try to send high quality
157 feedback. If you don't provide vital information to help us track down
158 the problem then you will probably be ignored. All bug reports should
159 be filed under the Samba 4.1 and newer product in the project's Bugzilla
160 database (https://bugzilla.samba.org/).
163 ======================================================================
164 == Our Code, Our Bugs, Our Responsibility.
166 ======================================================================