diff options
author | Karolin Seeger <kseeger@samba.org> | 2019-07-09 12:04:27 +0200 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2019-07-09 12:04:27 +0200 |
commit | 36f021f74d9739a9c73b95fc7d6f821bbf7cafdd (patch) | |
tree | 234eff2df7f7bbd4889db6f9f6915f01ffe634c0 /WHATSNEW.txt | |
parent | 9cb028d6d1630b20dab5bd456c69052e877d6fcf (diff) | |
download | samba-36f021f74d9739a9c73b95fc7d6f821bbf7cafdd.tar.gz |
WHATSNEW: Start release notes for Samba 4.12.0pre1.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Diffstat (limited to 'WHATSNEW.txt')
-rw-r--r-- | WHATSNEW.txt | 286 |
1 files changed, 3 insertions, 283 deletions
diff --git a/WHATSNEW.txt b/WHATSNEW.txt index c0d13d20d6b..510ee2c89db 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,297 +1,25 @@ Release Announcements ===================== -This is the first preview release of Samba 4.11. This is *not* +This is the first preview release of Samba 4.12. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. -Samba 4.11 will be the next version of the Samba suite. +Samba 4.12 will be the next version of the Samba suite. UPGRADING ========= -SMB1 is disabled by default ---------------------------- - -The defaults of 'client min protocol' and 'server min protocol' -have been changed to SMB2_02. - -This means clients without support for SMB2 or SMB3 are no longer -able to connect to smbd (by default). - -It also means client tools like smbclient and other, -as well as applications making use of libsmbclient are no longer -able to connect to servers without SMB2 or SMB3 support (by default). - -It's still possible to allow SMB1 dialects, e.g. NT1, LANMAN2 -and LANMAN1 for client and server, as well as CORE and COREPLUS on -the client. - -Note that most commandline tools e.g. smbclient, smbcacls and others -also support the --option argument to overwrite smb.conf options, -e.g. --option='client min protocol=NT1' might be useful. - -As Microsoft no longer installs SMB1 support in recent releases -or uninstalls it after 30 days without usage, the Samba Team -tries to get remove the SMB1 usage as much as possible. - -SMB1 is officially deprecated and might be removed step by step -in the following years. If you have a strong requirement for SMB1 -(except for supporting old Linux Kernels), please file a bug -at https://bugzilla.samba.org and let us know about the details. NEW FEATURES/CHANGES ==================== -Default samba process model ---------------------------- - -The default for the --model argument passed to the samba executable has changed -from 'standard' to 'prefork'. This means a difference in the number of samba -child processes that are created to handle client connections. The previous -default would create a separate process for every LDAP or NETLOGON client -connection. For a network with a lot of persistent client connections, this -could result in significant memory overhead. Now, with the new default of -'prefork', the LDAP, NETLOGON, and KDC services will create a fixed number of -worker processes at startup and share the client connections amongst these -workers. The number of worker processes can be configured by the 'prefork -children' setting in the smb.conf (the default is 4). - -Authentication Logging. ------------------------ - -Winbind now logs PAM_AUTH and NTLM_AUTH events, a new attribute "logonId" has -been added to the Authentication JSON log messages. This contains a random -logon id that is generated for each PAM_AUTH and NTLM_AUTH request and is passed -to SamLogon, linking the windbind and SamLogon requests. - -The serviceDescription of the messages is set to "winbind", the authDescription -is set to one of: - "PASSDB, <command>, <pid>" - "PAM_AUTH, <command>, <pid>" - "NTLM_AUTH, <command>, <pid>" -where: - <command> is the name of the command makinmg the winbind request i.e. wbinfo - <pid> is the process id of the requesting process. - -The version of the JSON Authentication messages has been changed to 1.2 from 1.1 - -LDAP referrals --------------- - -The scheme of returned LDAP referrals now reflects the scheme of the original -request, i.e. referrals received via ldap are prefixed with "ldap://" -and those over ldaps are prefixed with "ldaps://" - -Previously all referrals were prefixed with "ldap://" - -Bind9 logging -------------- - -It is now possible to log the duration of DNS operations performed by Bind9 -This should aid future diagnosis of performance issues, and could be used to -monitor DNS performance. The logging is enabled by setting log level to -"dns:10" in smb.conf - -The logs are currently Human readable text only, i.e. no JSON formatted output. - -Log lines are of the form: - - <function>: DNS timing: result: [<result>] duration: (<duration>) - zone: [<zone>] name: [<name>] data: [<data>] - - durations are in microseconds. - -Default schema updated to 2012_R2 ---------------------------------- - -Default AD schema changed from 2008_R2 to 2012_R2. 2012_R2 functional level -is not yet available. Older schemas can be used by provisioning with the -'--base-schema' argument. Existing installations can be updated with the -samba-tool command "domain schemaupgrade". - -Samba's replication code has also been improved to handle replication -with the 2012 schema (the core of this replication fix has also been -backported to 4.9.11 and will be in a 4.10.x release). - -GnuTLS 3.2 required -------------------- - -Samba is making efforts to remove in-tree cryptographic functionality, -and to instead rely on externally maintained libraries. To this end, -Samba has chosen GnuTLS as our standard cryptographic provider. - -Samba now requires GnuTLS 3.2 to be installed (including development -headers at build time) for all configurations, not just the Samba AD -DC. - -NOTE WELL: The use of GnuTLS means that Samba will honour the -system-wide 'FIPS mode' (a reference to the US FIPS-140 cryptographic -standard) and so will not operate in many still common situations if -this system-wide parameter is in effect, as many of our protocols rely -on outdated cryptography. - -A future Samba version will mitigate this to some extent where good -cryptography effectively wraps bad cryptography, but for now that above -applies. - -samba-tool improvements ------------------------ - -A new "samba-tool contact" command has been added to allow the -command-line manipulation of contacts, as used for address book -lookups in LDAP. - -The "samba-tool [user|group|computer|group|contact] edit" command has been -improved to operate more pleasantly on international character sets. - -100,000 USER and LARGER Samba AD DOMAINS -======================================== - -Extensive efforts have been made to optimise Samba for use in -organisations (for example) targeting 100,000 users, plus 120,000 -computer objects, as well as large number of group memberships. - -Many of the specific efforts are detailed below, but the net results -is to remove barriers to significantly larger Samba deployments -compared to previous releases. - -Reindex performance improvements --------------------------------- - -The performance of samba-tool dbcheck --reindex has been improved, -especially for large domains. - -join performance improvements ------------------------------ - -The performance of samba-tool domain join has been improved, -especially for large domains. - -LDAP Server memory improvements -------------------------------- - -The LDAP server has improved memory efficiency, ensuring that large -LDAP responses (for example a search for all objects) is not copied -multiple times into memory. - -Setting lmdb map size ---------------------- - -It is now possible to set the lmdb map size (The maximum permitted -size for the database). "samba-tool" now accepts the -"--backend-store-size" i.e. --backend-store-size=4Gb. If not -specified it defaults to 8Gb. - -This option is avaiable for the following sub commands: - * domain provision - * domain join - * domain dcpromo - * drs clone-dc-database - -LDB "batch_mode" ----------------- - -To improve performance during batch operations i.e. joins, ldb now -accepts a "batch_mode" option. However to prevent any index or -database inconsistencies if an operation fails, the entire transaction -will be aborted at commit. - -New LDB pack format -------------------- - -On first use (startup of 'samba' or the first transaction write) -Samba's sam.ldb will be updated to a new more efficient pack format. -This will take a few moments. - -New LDB <= and >= index mode to improve replication performance ---------------------------------------------------------------- - -As well as a new pack format, Samba's sam.ldb uses a new index format -allowing Samba to efficiently select objects changed since the last -replication cycle. This in turn improves performance during -replication of large domains. - -https://wiki.samba.org/index.php/LDB_Greater_than_and_Less_than_indexing - -Improvements to ldb search performance --------------------------------------- - -Search performance on large LDB databases has been improved by -reducing memory allocations made on each object. - -Improvements to subtree rename performance ------------------------------------------- - -Improvements have been made to Samba's handling of subtree renames, -for example of containers and organisational units, however large -renames are still not recommended. - -CTDB changes -============ - -* nfs-linux-kernel-callout now defaults to using systemd service names - - The Red Hat service names continue to be the default. - - Other distributions should patch this file when packaging it. - -* The onnode -o option has been removed - -* ctdbd logs when it is using more than 90% of a CPU thread - - ctdbd is single threaded, so can become saturated if it uses the - full capacity of a CPU thread. To help detect this situation, ctdbd - now logs messages when CPU utilisation exceeds 90%. Each change in - CPU utilisation over 90% is logged. A message is also logged when - CPU utilisation drops below the 90% threshold. - -* Script configuration variable CTDB_MONITOR_SWAP_USAGE has been removed - - 05.system.script now monitors total memory (i.e. physical memory + - swap) utilisation using the existing CTDB_MONITOR_MEMORY_USAGE - script configuration variable. - REMOVED FEATURES ================ -Web server ----------- - -As a leftover from work related to the Samba Web Administration Tool (SWAT), -Samba still supported a Python WSGI web server (which could still be turned on -from the 'server services' smb.conf parameter). This service was unused and has -now been removed from Samba. - - -samba-tool join subdomain -------------------------- - -The subdomain role has been removed from the join command. This option did -not work and has no tests. - - -Python2 support ---------------- - -Samba 4.11 will not have any runtime support for Python 2. - -If you are building Samba using the '--disable-python' option -(i.e. you're excluding all the run-time Python support), then this -will continue to work on a system that supports either python2 or -python3. - -To build Samba with python2 you *must* set the 'PYTHON' environment -variable for both the 'configure' and 'make' steps, i.e. - 'PYTHON=python2 ./configure' - 'PYTHON=python2 make' -This will override the python3 default. - -Except for this specific build-time use of python2, Samba now requires -Python 3.4 as a minimum. smb.conf changes ================ @@ -299,19 +27,11 @@ smb.conf changes Parameter Name Description Default -------------- ----------- ------- - allocation roundup size Default changed/ 0 - Deprecated - client min protocol Changed default SMB2_02 - server min protocol Changed default SMB2_02 - mangled names Changed default illegal - web port Removed - fruit:zero_file_id Changed default False - KNOWN ISSUES ============ -https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.11#Release_blocking_bugs +https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.12#Release_blocking_bugs ####################################### |