4 This is the first release candidate of Samba 4.2. This is *not*
5 intended for production environments and is designed for testing
6 purposes only. Please report any defects via the Samba bug reporting
7 system at https://bugzilla.samba.org/.
9 Samba 4.2 will be the next version of the Samba suite.
15 Read the "Winbindd/Netlogon improvements" section (below) carefully!
21 Transparent File Compression
22 ============================
24 Samba 4.2.0 adds support for the manipulation of file and folder
25 compression flags on the Btrfs filesystem.
26 With the Btrfs Samba VFS module enabled, SMB2+ compression flags can
27 be set remotely from the Windows Explorer File->Properties->Advanced
28 dialog. Files flagged for compression are transparently compressed
29 and uncompressed when accessed or modified.
31 Previous File Versions with Snapper
32 ===================================
34 The newly added Snapper VFS module exposes snapshots managed by
35 Snapper for use by Samba. This provides the ability for remote
36 clients to access shadow-copies via Windows Explorer using the
37 "previous versions" dialog.
39 Winbindd/Netlogon improvements
40 ==============================
42 The whole concept of maintaining the netlogon secure channel
43 to (other) domain controllers was rewritten in order to maintain
44 global state in a netlogon_creds_cli.tdb. This is the proper fix
45 for a large number of bugs:
47 https://bugzilla.samba.org/show_bug.cgi?id=6563
48 https://bugzilla.samba.org/show_bug.cgi?id=7944
49 https://bugzilla.samba.org/show_bug.cgi?id=7945
50 https://bugzilla.samba.org/show_bug.cgi?id=7568
51 https://bugzilla.samba.org/show_bug.cgi?id=8599
53 In addition a strong session key is now required by default,
54 which means that communication to older servers or clients
55 might be rejected by default.
57 For the client side we have the following new options:
58 "require strong key" (yes by default), "reject md5 servers" (no by default).
59 E.g. for Samba 3.0.37 you need "require strong key = no" and
60 for NT4 DCs you need "require strong key = no" and "client NTLMv2 auth = no",
62 On the server side (as domain controller) we have the following new options:
63 "allow nt4 crypto" (no by default), "reject md5 client" (no by default).
64 E.g. in order to allow Samba < 3.0.27 or NT4 members to work
65 you need "allow nt4 crypto = yes"
67 winbindd does not list group memberships for display purposes
68 (e.g. getent group <domain\<group>) anymore by default.
69 The new default is "winbind expand groups = 0" now,
70 the reason for this is the same as for "winbind enum users = no"
71 and "winbind enum groups = no". Providing this information is not always
72 reliably possible, e.g. if there are trusted domains.
74 Please consult the smb.conf manpage for more details on these new options.
76 Winbindd use on the Samba AD DC
77 ===============================
79 Winbindd is now used on the Samba AD DC by default, replacing the
80 partial rewrite used for winbind operations in Samba 4.0 and 4.1.
82 This allows more code to be shared, more options to be honoured, and
83 paves the way for support for trusted domains in the AD DC.
85 If required the old internal winbind can be activated by setting
86 'server services = +winbind -winbindd'. Upgrading users with a server
87 services parameter specified should ensure they change 'winbind' to
88 'winbindd' to obtain the new functionality.
90 The 'samba' binary still manages the starting of this service, there
91 is no need to start the winbindd binary manually.
93 Winbind now requires secured connections
94 ========================================
96 To improve protection against rogue domain controllers we now require
97 that when we connect to an AD DC in our forest, that the connection be
98 signed using SMB Signing. Set 'client signing = off' in the smb.conf
101 Also and DCE/RPC pipes must be sealed, set 'require strong key =
102 false' and 'winbind sealed pipes = false' to disable.
104 Finally, the default for 'client ldap sasl wrapping' has been set to
105 'sign', to ensure the integrity of LDAP connections. Set 'client ldap
106 sasl wrapping = plain' to disable.
108 Larger IO sizes for SMB2/3 by default
109 =====================================
111 The default values for "smb2 max read", "smb2 max write" and "smb2 max trans"
112 have been changed to 8388608 (8MiB) in order to match the default of
115 Improved DCERPC man in the middle detection
116 ===========================================
118 The DCERPC header signing has been implemented
119 in addition to the dcerpc_sec_verification_trailer
122 Overhauled "net idmap" command
123 ==============================
125 The command line interface of the "net idmap" command has been
126 made systematic, and subcommands for reading and writing the autorid idmap
127 database have been added. Note that the writing commands should be
128 used with great care. See the net(8) manual page for details.
133 The tdb library, our core mechanism to store Samba-specific data on disk and
134 share it between processes, has been improved to support process shared robust
135 mutexes on Linux. These mutexes are available on Linux and Solaris and
136 significantly reduce the overhead involved with tdb. To enable mutexes for
139 dbwrap_tdb_mutexes:* = yes
141 in the [global] section of your smb.conf.
143 Tdb file space management has also been made more efficient. This
144 will lead to smaller and less fragmented databases.
146 Messaging improvements
147 ======================
149 Our internal messaging subsystem, used for example for things like oplock
150 break messages between smbds or setting a process debug level dynamically, has
151 been rewritten to use unix domain datagram messages.
156 Samba's file server clustering component CTDB is now integrated in the
157 Samba tree. This avoids the confusion of compatibility of Samba and CTDB
158 versions as existed previously.
160 To build the Samba file server with cluster support, use the configure
161 command line option --with-cluster-support. This will build clustered
162 file server against the in-tree ctdb. Building clustered samba with
163 previous versions of CTDB is no longer supported.
165 CTDB is built separately from the ctdb/ sub-directory. To build CTDB,
166 use the following steps:
174 ######################################################################
181 Parameter Name Description Default
182 -------------- ----------- -------
184 allow nt4 crypto New no
185 neutralize nt4 emulation New no
186 reject md5 client New no
187 reject md5 servers New no
188 require strong key New yes
189 smb2 max read Changed default 8388608
190 smb2 max write Changed default 8388608
191 smb2 max trans Changed default 8388608
192 winbind expand groups Changed default 0
198 #######################################
199 Reporting bugs & Development Discussion
200 #######################################
202 Please discuss this release on the samba-technical mailing list or by
203 joining the #samba-technical IRC channel on irc.freenode.net.
205 If you do report problems then please try to send high quality
206 feedback. If you don't provide vital information to help us track down
207 the problem then you will probably be ignored. All bug reports should
208 be filed under the Samba 4.2 product in the project's Bugzilla
209 database (https://bugzilla.samba.org/).
212 ======================================================================
213 == Our Code, Our Bugs, Our Responsibility.
215 ======================================================================