summaryrefslogtreecommitdiff
path: root/WHATSNEW.txt
blob: 89e730b605e92e506a49088004640aaaea076854 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
                   ==============================
                   Release Notes for Samba 4.11.7
                           March 10, 2020
		   ==============================


This is the latest stable release of the Samba 4.11 release series.


Changes since 4.11.6:
---------------------

o  Jeremy Allison <jra@samba.org>
   * BUG 14239: s3: lib: nmblib. Clean up and harden nmb packet processing.
   * BUG 14283: s3: VFS: full_audit. Use system session_info if called from a
     temporary share definition.

o  Andrew Bartlett <abartlet@samba.org>
   * BUG 14258: dsdb: Correctly handle memory in objectclass_attrs.
   * BUG 14270: ldb: version 2.0.9, Samba 4.11 and later give incorrect results
     for SCOPE_ONE searches.

o  Volker Lendecke <vl@samba.org>
   * BUG 14247: auth: Fix CIDs 1458418 and 1458420 Null pointer dereferences.
   * BUG 14285: smbd: Handle EINTR from open(2) properly.

o  Stefan Metzmacher <metze@samba.org>
   * BUG 14247: winbind member (source3) fails local SAM auth with empty domain
     name.
   * BUG 14265: winbindd: Handling missing idmap in getgrgid().

o  Andreas Schneider <asn@samba.org>
   * BUG 14253: lib:util: Log mkdir error on correct debug levels.
   * BUG 14266: wafsamba: Do not use 'rU' as the 'U' is deprecated in
     Python 3.9.

o  Martin Schwenke <martin@meltin.net>
   * BUG 14274: ctdb-tcp: Make error handling for outbound connection
     consistent.


#######################################
Reporting bugs & Development Discussion
#######################################

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
database (https://bugzilla.samba.org/).


======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================


Release notes for older releases follow:
----------------------------------------

                   ==============================
                   Release Notes for Samba 4.11.6
                          January 28, 2020
		   ==============================


This is the latest stable release of the Samba 4.11 release series.


Changes since 4.11.5:
---------------------

o  Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
   * BUG 14209: pygpo: Use correct method flags.

o  David Disseldorp <ddiss@samba.org>
   * BUG 14216: vfs_ceph_snapshots: Fix root relative path handling.

o  Torsten Fohrer <torsten.fohrer@sbe.de>
   * BUG 14209: Avoiding bad call flags with python 3.8, using METH_NOARGS
     instead of zero.

o  Fabrice Fontaine <fontaine.fabrice@gmail.com>
   * BUG 14218: source4/utils/oLschema2ldif: Include stdint.h before cmocka.h.

o  Björn Jacke <bjacke@samba.org>
   * BUG 14122: docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc.

o  Volker Lendecke <vl@samba.org>
   * BUG 14251: smbd: Fix the build with clang.

o  Gary Lockyer <gary@catalyst.net.nz>
   * BUG 14199: upgradedns: Ensure lmdb lock files linked.

o  Anoop C S <anoopcs@redhat.com>
   * BUG 14182: s3: VFS: glusterfs: Reset nlinks for symlink entries during
     readdir.

o  Andreas Schneider <asn@samba.org>
   * BUG 14101: smbc_stat() doesn't return the correct st_mode and also the
     uid/gid is not filled (SMBv1) file.
   * BUG 14219: librpc: Fix string length checking in
     ndr_pull_charset_to_null().

o  Martin Schwenke <martin@meltin.net>
   * BUG 14227: ctdb-scripts: Strip square brackets when gathering connection
     info.


#######################################
Reporting bugs & Development Discussion
#######################################

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
database (https://bugzilla.samba.org/).


======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================


----------------------------------------------------------------------


                   ==============================
                   Release Notes for Samba 4.11.5
                          January 21, 2020
		   ==============================


This is a security release in order to address the following defects:

o CVE-2019-14902: Replication of ACLs set to inherit down a subtree on AD
		  Directory not automatic.        
o CVE-2019-14907: Crash after failed character conversion at log level 3 or
		  above.                                               
o CVE-2019-19344: Use after free during DNS zone scavenging in Samba AD DC.
                                                                                
                                                                                
=======                                                                         
Details                                                                         
=======                                                                         
                                                                                
o  CVE-2019-14902:                                                                                
   The implementation of ACL inheritance in the Samba AD DC was not complete,
   and so absent a 'full-sync' replication, ACLs could get out of sync between
   domain controllers. 

o  CVE-2019-14907:
   When processing untrusted string input Samba can read past the end of the
   allocated buffer when printing a "Conversion error" message to the logs.

o  CVE-2019-19344:                                                                                
   During DNS zone scavenging (of expired dynamic entries) there is a read of
   memory after it has been freed.

For more details and workarounds, please refer to the security advisories.


Changes since 4.11.4:
---------------------

o  Andrew Bartlett <abartlet@samba.org>
   * BUG 12497: CVE-2019-14902: Replication of ACLs down subtree on AD Directory
     not automatic.
   * BUG 14208: CVE-2019-14907: lib/util: Do not print the failed to convert
     string into the logs.

o  Gary Lockyer <gary@catalyst.net.nz>
   * BUG 14050: CVE-2019-19344: kcc dns scavenging: Fix use after free in
     dns_tombstone_records_zone.


#######################################
Reporting bugs & Development Discussion
#######################################

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
database (https://bugzilla.samba.org/).


======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================


----------------------------------------------------------------------


                   ==============================
                   Release Notes for Samba 4.11.4
                          December 16, 2019
		   ==============================


This is the latest stable release of the Samba 4.11 release series.


Changes since 4.11.3:
---------------------

o  Jeremy Allison <jra@samba.org>
   * BUG 14161: s3: libsmb: Ensure SMB1 cli_qpathinfo2() doesn't return an inode
     number.
   * BUG 14174: s3: utils: smbtree. Ensure we don't call cli_RNetShareEnum()
     on an SMB1 connection.
   * BUG 14176: NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in
     SMBC_opendir_ctx.
   * BUG 14189: s3: smbd: SMB2 - Ensure we use the correct session_id if
     encrypting an interim response.
   * BUG 14205: Prevent smbd crash after invalid SMB1 negprot.

o  Ralph Boehme <slow@samba.org>
   * BUG 13745: s3:printing: Fix %J substition.
   * BUG 13925: s3: Remove now unneeded call to cmdline_messaging_context().
   * BUG 14069: Incomplete conversion of former parametric options.
   * BUG 14070: Fix sync dosmode fallback in async dosmode codepath.
   * BUG 14171: vfs_fruit returns capped resource fork length.

o  Isaac Boukris <iboukris@gmail.com>
   * BUG 14116: libnet_join: Add SPNs for additional-dns-hostnames entries.

o  Volker Lendecke <vl@samba.org>
   * BUG 14211: smbd: Increase a debug level.

o  Stefan Metzmacher <metze@samba.org>
   * BUG 14153: Prevent azure ad connect from reporting discovery errors:
     reference-value-not-ldap-conformant.

o  Christof Schmitt <cs@samba.org>
   * BUG 14179: krb5_plugin: Fix developer build with newer heimdal system
     library.

o  Andreas Schneider <asn@samba.org>
   * BUG 14168: replace: Only link libnsl and libsocket if requrired.

o  Martin Schwenke <martin@meltin.net>
   * BUG 14175: ctdb: Incoming queue can be orphaned causing communication
     breakdown.

o  Uri Simchoni <uri@samba.org>
   * BUG 13846: ldb: Release ldb 2.0.8. Cross-compile will not take
     cross-answers or cross-execute.
   * BUG 13856: heimdal-build: Avoid hard-coded /usr/include/heimdal in
     asn1_compile-generated code.


#######################################
Reporting bugs & Development Discussion
#######################################

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
database (https://bugzilla.samba.org/).


======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================


----------------------------------------------------------------------


                   ==============================
                   Release Notes for Samba 4.11.3
                          December 10, 2019
		   ==============================


This is a security release in order to address the following defects:

o CVE-2019-14861: Samba AD DC zone-named record Denial of Service in DNS
		  management server (dnsserver).
o CVE-2019-14870: DelegationNotAllowed not being enforced in protocol transition
		  on Samba AD DC.


=======
Details
=======

o  CVE-2019-14861:
   An authenticated user can crash the DCE/RPC DNS management server by creating
   records with matching the zone name.

o  CVE-2019-14870:
   The DelegationNotAllowed Kerberos feature restriction was not being applied
   when processing protocol transition requests (S4U2Self), in the AD DC KDC.

For more details and workarounds, please refer to the security advisories.


Changes since 4.11.2:
---------------------

o  Andrew Bartlett <abartlet@samba.org>
   * BUG 14138: CVE-2019-14861: Fix DNSServer RPC server crash.

o  Isaac Boukris <iboukris@gmail.com>
   * BUG 14187: CVE-2019-14870: DelegationNotAllowed not being enforced.


#######################################
Reporting bugs & Development Discussion
#######################################

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
database (https://bugzilla.samba.org/).


======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================


----------------------------------------------------------------------


                   ==============================
                   Release Notes for Samba 4.11.2
                          October 29, 2019
		   ==============================


This is a security release in order to address the following defects:

o CVE-2019-10218: Client code can return filenames containing path separators.          
o CVE-2019-14833: Samba AD DC check password script does not receive the full
		  password.
o CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server
		  via dirsync.

=======
Details
=======

o  CVE-2019-10218:
   Malicious servers can cause Samba client code to return filenames containing
   path separators to calling code.

o  CVE-2019-14833:
   When the password contains multi-byte (non-ASCII) characters, the check
   password script does not receive the full password string.

o  CVE-2019-14847:
   Users with the "get changes" extended access right can crash the AD DC LDAP
   server by requesting an attribute using the range= syntax.

For more details and workarounds, please refer to the security advisories.


Changes since 4.11.1:
---------------------

o  Jeremy Allison <jra@samba.org>
   * BUG 14071: CVE-2019-10218 - s3: libsmb: Protect SMB1 and SMB2 client code
     from evil server returned names.

o  Andrew Bartlett <abartlet@samba.org>
   * BUG 12438: CVE-2019-14833: Use utf8 characters in the unacceptable
     password.
   * BUG 14040: CVE-2019-14847 dsdb: Correct behaviour of ranged_results when
     combined with dirsync.

o  Björn Baumbach <bb@sernet.de>
   * BUG 12438: CVE-2019-14833 dsdb: Send full password to check password
     script.


#######################################
Reporting bugs & Development Discussion
#######################################

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
database (https://bugzilla.samba.org/).


======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================


----------------------------------------------------------------------


                   ==============================
                   Release Notes for Samba 4.11.1
                          October 18, 2019
		   ==============================


This is the latest stable release of the Samba 4.11 release series.


Changes since 4.11.0:
---------------------

o  Michael Adam <obnox@samba.org>
   * BUG 14141: getpwnam and getpwuid need to return data for ID_TYPE_BOTH
     group.

o  Jeremy Allison <jra@samba.org>
   * BUG 14094: smbc_readdirplus() is incompatible with smbc_telldir() and
     smbc_lseekdir().
   * BUG 14152: s3: smbclient: Stop an SMB2-connection from blundering into
     SMB1-specific calls.

o  Ralph Boehme <slow@samba.org>
   * BUG 14137: Fix stale file handle error when using mkstemp on a share.

o  Isaac Boukris <iboukris@gmail.com>
   * BUG 14106: Fix spnego fallback from kerberos to ntlmssp in smbd server.
   * BUG 14140: Overlinking libreplace against librt and pthread against every
     binary or library causes issues.

o  Günther Deschner <gd@samba.org>
   * BUG 14130: s3-winbindd: Fix forest trusts with additional trust attributes.
   * BUG 14134: auth/gensec: Fix non-AES schannel seal.

o  Amitay Isaacs <amitay@gmail.com>
   * BUG 14147: Deleted records can be resurrected during recovery.

o  Björn Jacke <bj@sernet.de>
   * BUG 14136: Fix uncaught exception in classicupgrade.
   * BUG 14139: fault.c: Improve fault_report message text pointing to our wiki.

o  Bryan Mason <bmason@redhat.com>
   * BUG 14128: s3:client: Use DEVICE_URI, instead of argv[0], for Device URI.

o  Stefan Metzmacher <metze@samba.org>
   * BUG 14124: pam_winbind with krb5_auth or wbinfo -K doesn't work for users
     of trusted domains/forests.

o  Mathieu Parent <math.parent@gmail.com>
   * BUG 14131: Remove 'pod2man' as it is no longer needed.

o  Andreas Schneider <asn@samba.org>
   * BUG 13884: Joining Active Directory should not use SAMR to set the
     password.
   * BUG 14140: Overlinking libreplace against librt and pthread against every
     binary or library causes issues.
   * BUG 14155: 'kpasswd' fails when built with MIT Kerberos.

o  Martin Schwenke <martin@meltin.net>
   * BUG 14129: Exit code of ctdb nodestatus should not be influenced by deleted
     nodes.


#######################################
Reporting bugs & Development Discussion
#######################################

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
database (https://bugzilla.samba.org/).


======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================


----------------------------------------------------------------------


                   ==============================
                   Release Notes for Samba 4.11.0
                         September 17, 2019
		   ==============================


This is the first stable release of the Samba 4.11 release series.
Please read the release notes carefully before upgrading.


UPGRADING
=========

AD Database compatibility
-------------------------

Samba 4.11 has changed how the AD database is stored on disk. AD users should
not really be affected by this change when upgrading to 4.11. However, AD
users should be extremely careful if they need to downgrade from Samba 4.11 to
an older release.

Samba 4.11 maintains database compatibility with older Samba releases. The
database will automatically get rewritten in the new 4.11 format when you
first start the upgraded samba executable.

However, when downgrading from 4.11 you will need to manually downgrade the AD
database yourself. Note that you will need to do this step before you install
the downgraded Samba packages. For more details, see:
https://wiki.samba.org/index.php/Downgrading_an_Active_Directory_DC

When either upgrading or downgrading, users should also avoid making any
database modifications between installing the new Samba packages and starting
the samba executable.

SMB1 is disabled by default
---------------------------

The defaults of 'client min protocol' and 'server min protocol'
have been changed to SMB2_02.

This means clients without support for SMB2 or SMB3 are no longer
able to connect to smbd (by default).

It also means client tools like smbclient and other,
as well as applications making use of libsmbclient are no longer
able to connect to servers without SMB2 or SMB3 support (by default).

It's still possible to allow SMB1 dialects, e.g. NT1, LANMAN2
and LANMAN1 for client and server, as well as CORE and COREPLUS on
the client.

Note that most commandline tools e.g. smbclient, smbcacls and others
also support the '--option' argument to overwrite smb.conf options,
e.g. --option='client min protocol=NT1' might be useful.

As Microsoft no longer installs SMB1 support in recent releases
or uninstalls it after 30 days without usage, the Samba Team
tries to get remove the SMB1 usage as much as possible.

SMB1 is officially deprecated and might be removed step by step
in the following years. If you have a strong requirement for SMB1
(except for supporting old Linux Kernels), please file a bug
at https://bugzilla.samba.org and let us know about the details.

LanMan and plaintext authentication deprecated
----------------------------------------------

The "lanman auth" and "encrypt passwords" parameters are deprecated
with this release as both are only applicable to SMB1 and are quite
insecure.  NTLM, NTLMv2 and Kerberos authentication are unaffected, as
"encrypt passwords = yes" has been the default since Samba 3.0.0.

If you have a strong requirement for these authentication protocols,
please file a bug at https://bugzilla.samba.org and let us know about
the details.

BIND9_FLATFILE deprecated
-------------------------

The BIND9_FLATFILE DNS backend is deprecated in this release and will
be removed in the future.  This was only practically useful on a single
domain controller or under expert care and supervision.

This release therefore deprecates the "rndc command" smb.conf
parameter, which is used to support this configuration.  After writing
out a list of DCs permitted to make changes to the DNS Zone "rndc
command" is called with reload to tell the 'named' server if a DC was
added/removed to to the domain.


NEW FEATURES/CHANGES
====================

Default samba process model
---------------------------

The default for the '--model' argument passed to the samba executable has changed
from 'standard' to 'prefork'. This means a difference in the number of samba
child processes that are created to handle client connections. The previous
default would create a separate process for every LDAP or NETLOGON client
connection. For a network with a lot of persistent client connections, this
could result in significant memory overhead.  Now, with the new default of
'prefork', the LDAP, NETLOGON, and KDC services will create a fixed number of
worker processes at startup and share the client connections amongst these
workers. The number of worker processes can be configured by the 'prefork
children' setting in the smb.conf (the default is 4).

Authentication Logging
----------------------

Winbind now logs PAM_AUTH and NTLM_AUTH events, a new attribute "logonId" has
been added to the Authentication JSON log messages.  This contains a random
logon id that is generated for each PAM_AUTH and NTLM_AUTH request and is passed
to SamLogon, linking the windbind and SamLogon requests.

The serviceDescription of the messages is set to "winbind", the authDescription
is set to one of:
   "PASSDB, <command>, <pid>"
   "PAM_AUTH, <command>, <pid>"
   "NTLM_AUTH, <command>, <pid>"
where:
   <command> is the name of the command makinmg the winbind request i.e. wbinfo
   <pid>     is the process id of the requesting process.

The version of the JSON Authentication messages has been changed from 1.1 to
1.2.

LDAP referrals
--------------

The scheme of returned LDAP referrals now reflects the scheme of the original
request, i.e. referrals received via ldap are prefixed with "ldap://"
and those over ldaps are prefixed with "ldaps://".

Previously all referrals were prefixed with "ldap://".

Bind9 logging
-------------

It is now possible to log the duration of DNS operations performed by Bind9.
This should aid future diagnosis of performance issues and could be used to
monitor DNS performance. The logging is enabled by setting log level to
"dns:10" in smb.conf.

The logs are currently human readable text only, i.e. no JSON formatted output.

Log lines are of the form:

    <function>: DNS timing: result: [<result>] duration: (<duration>)
    zone: [<zone>] name: [<name>] data: [<data>]

    durations are in microseconds.

Default schema updated to 2012_R2
---------------------------------

Default AD schema changed from 2008_R2 to 2012_R2.  2012_R2 functional level
is not yet available.  Older schemas can be used by provisioning with the
'--base-schema' argument.  Existing installations can be updated with the
samba-tool command "domain schemaupgrade".

Samba's replication code has also been improved to handle replication
with the 2012 schema (the core of this replication fix has also been
backported to 4.9.11 and will be in a 4.10.x release).

For more about how the AD schema relates to overall Windows compatibility,
please read:
https://wiki.samba.org/index.php/Windows_2012_Server_compatibility

GnuTLS 3.2 required
-------------------

Samba is making efforts to remove in-tree cryptographic functionality,
and to instead rely on externally maintained libraries.  To this end,
Samba has chosen GnuTLS as our standard cryptographic provider.

Samba now requires GnuTLS 3.2 to be installed (including development
headers at build time) for all configurations, not just the Samba AD
DC.

NOTE WELL: The use of GnuTLS means that Samba will honour the
system-wide 'FIPS mode' (a reference to the US FIPS-140 cryptographic
standard) and so will not operate in many still common situations if
this system-wide parameter is in effect, as many of our protocols rely
on outdated cryptography.

A future Samba version will mitigate this to some extent where good
cryptography effectively wraps bad cryptography, but for now that above
applies.

samba-tool improvements
-----------------------

A new "samba-tool contact" command has been added to allow the
command-line manipulation of contacts, as used for address book
lookups in LDAP.

The "samba-tool [user|group|computer|group|contact] edit" command has been
improved to operate more pleasantly on international character sets.

100,000 USER and LARGER Samba AD DOMAINS
========================================

Extensive efforts have been made to optimise Samba for use in
organisations (for example) targeting 100,000 users, plus 120,000
computer objects, as well as large number of group memberships.

Many of the specific efforts are detailed below, but the net results
is to remove barriers to significantly larger Samba deployments
compared to previous releases.

Reindex performance improvements
--------------------------------

The performance of samba-tool dbcheck --reindex has been improved,
especially for large domains.

join performance improvements
-----------------------------

The performance of samba-tool domain join has been improved,
especially for large domains.

LDAP Server memory improvements
-------------------------------

The LDAP server has improved memory efficiency, ensuring that large
LDAP responses (for example a search for all objects) is not copied
multiple times into memory.

Setting lmdb map size
---------------------

It is now possible to set the lmdb map size (the maximum permitted
size for the database).  "samba-tool" now accepts the
"--backend-store-size" i.e. --backend-store-size=4Gb.  If not
specified it defaults to 8Gb.

This option is avaiable for the following sub commands:
 * domain provision
 * domain join
 * domain dcpromo
 * drs clone-dc-database

LDB "batch_mode"
----------------

To improve performance during batch operations i.e. joins, ldb now
accepts a "batch_mode" option.  However to prevent any index or
database inconsistencies if an operation fails, the entire transaction
will be aborted at commit.

New LDB pack format
-------------------

On first use (startup of 'samba' or the first transaction write)
Samba's sam.ldb will be updated to a new more efficient pack format.
This will take a few moments.

New LDB <= and >= index mode to improve replication performance
---------------------------------------------------------------

As well as a new pack format, Samba's sam.ldb uses a new index format
allowing Samba to efficiently select objects changed since the last
replication cycle.  This in turn improves performance during
replication of large domains.

https://wiki.samba.org/index.php/LDB_Greater_than_and_Less_than_indexing

Improvements to ldb search performance
--------------------------------------

Search performance on large LDB databases has been improved by
reducing memory allocations made on each object.

Improvements to subtree rename performance
------------------------------------------

Improvements have been made to Samba's handling of subtree renames,
for example of containers and organisational units, however large
renames are still not recommended.

CTDB changes
============

* nfs-linux-kernel-callout now defaults to using systemd service names

  The Red Hat service names continue to be the default.

  Other distributions should patch this file when packaging it.

* The onnode -o option has been removed

* ctdbd logs when it is using more than 90% of a CPU thread

  ctdbd is single threaded, so can become saturated if it uses the
  full capacity of a CPU thread.  To help detect this situation, ctdbd
  now logs messages when CPU utilisation exceeds 90%.  Each change in
  CPU utilisation over 90% is logged.  A message is also logged when
  CPU utilisation drops below the 90% threshold.

* Script configuration variable CTDB_MONITOR_SWAP_USAGE has been removed

  05.system.script now monitors total memory (i.e. physical memory +
  swap) utilisation using the existing CTDB_MONITOR_MEMORY_USAGE
  script configuration variable.

CephFS Snapshot Integration
---------------------------

CephFS snapshots can now be exposed as previous file versions using the new
ceph_snapshots VFS module. See the vfs_ceph_snapshots(8) man page for details.


REMOVED FEATURES
================

Web server
----------

As a leftover from work related to the Samba Web Administration Tool (SWAT),
Samba still supported a Python WSGI web server (which could still be turned on
from the 'server services' smb.conf parameter). This service was unused and has
now been removed from Samba.

samba-tool join subdomain
-------------------------

The subdomain role has been removed from the join command.  This option did
not work and has no tests.

Python2 support
---------------

Samba 4.11 will not have any runtime support for Python 2.

If you are building Samba using the '--disable-python' option
(i.e. you're excluding all the run-time Python support), then this
will continue to work on a system that supports either python2 or
python3.

To build Samba with python2 you *must* set the 'PYTHON' environment
variable for both the 'configure' and 'make' steps, i.e.
   'PYTHON=python2 ./configure'
   'PYTHON=python2 make'
This will override the python3 default.

Except for this specific build-time use of python2, Samba now requires
Python 3.4 as a minimum.

smb.conf changes
================

  Parameter Name                     Description                Default
  --------------                     -----------                -------

  allocation roundup size            Default changed/           0
                                     Deprecated
  client min protocol                Changed default            SMB2_02
  server min protocol                Changed default            SMB2_02
  mangled names                      Changed default            illegal
  web port                           Removed
  fruit:zero_file_id                 Changed default            False
  debug encryption                   New: dump encryption keys  False
  rndc command                       Deprecated
  lanman auth                        Deprecated
  encrypt passwords                  Deprecated


CHANGES SINCE 4.11.0rc4
=======================


CHANGES SINCE 4.11.0rc3
=======================

o  Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
   * BUG 14049: ldb: Don't try to save a value that isn't there.
   * ldb_dn: Free dn components on explode failure.
   * ldb: Do not allow adding a DN as a base to itself.

o  Andrew Bartlett <abartlet@samba.org>
   * ldb: Release ldb 2.0.7.
   * BUG 13695: ldb: Correct Pigeonhole principle validation in
     ldb_filter_attrs().
   * BUG 14049: Fix ldb dn crash.
   * BUG 14117: Deprecate "lanman auth = yes" and "encrypt passwords = no".

o  Ralph Boehme <slow@samba.org>
   * BUG 14038: Fix compiling ctdb on older systems lacking POSIX robust
     mutexes.
   * BUG 14121: smbd returns bad File-ID on filehandle used to create a file or
     directory.

o  Poornima G <pgurusid@redhat.com>
   * BUG 14098: vfs_glusterfs: Use pthreadpool for scheduling aio operations.

o  Stefan Metzmacher <metze@samba.org>
   * BUG 14055: Add the target server name of SMB 3.1.1 connections as a hint to
     load balancers or servers with "multi-tenancy" support.
   * BUG 14113: Fix byte range locking bugs/regressions.

o  Swen Schillig <swen@linux.ibm.com>
   * ldb: Fix mem-leak if talloc_realloc fails.

o  Evgeny Sinelnikov <sin@altlinux.org>
   * BUG 14007: Fix join with don't exists machine account.

o  Martin Schwenke <martin@meltin.net>
   * BUG 14085: ctdb-recoverd: Only check for LMASTER nodes in the VNN map.


CHANGES SINCE 4.11.0rc2
=======================

o  Michael Adam <obnox@samba.org>
   * BUG 13972: Different Device Id for GlusterFS FUSE mount is causing data
     loss in CTDB cluster.

o  Jeremy Allison <jra@samba.org>
   * BUG 14035: CVE-2019-10197: Permissions check deny can allow user to escape
     from the share.

o  Andrew Bartlett <abartlet@samba.org>
   * BUG 14059: ldb: Release ldb 2.0.6 (log database repack so users know what
     is happening).
   * BUG 14092: docs: Deprecate "rndc command" for Samba 4.11.

o  Tim Beale <timbeale@catalyst.net.nz>
   * BUG 14059: ldb: Free memory when repacking database.

o  Ralph Boehme <slow@samba.org>
   * BUG 14089: vfs_default: Use correct flag in vfswrap_fs_file_id.
   * BUG 14090: vfs_glusterfs: Initialize st_ex_file_id, st_ex_itime and
     st_ex_iflags.

o  Anoop C S <anoopcs@redhat.com>
   * BUG 14093: vfs_glusterfs: Enable profiling for file system operations.

o  Aaron Haslett <aaronhaslett@catalyst.net.nz>
   * BUG 14059: Backport sambadowngradedatabase for v4.11.

o  Stefan Metzmacher <metze@samba.org>
   * BUG 14035: CVE-2019-10197: Permissions check deny can allow user to escape
     from the share.

o  Christof Schmitt <cs@samba.org>
   * BUG 14032: vfs_gpfs: Implement special case for denying owner access to
     ACL.

o  Martin Schwenke <martin@meltin.net>
   * BUG 14084: Avoid marking a node as connected before it can receive packets.
   * BUG 14086: Fix onnode test failure with ShellCheck >= 0.4.7.
   * BUG 14087: ctdb-daemon: Stop "ctdb stop" from completing before freezing
     databases.


KNOWN ISSUES
============

https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.11#Release_blocking_bugs


#######################################
Reporting bugs & Development Discussion
#######################################

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================