summaryrefslogtreecommitdiff
path: root/WHATSNEW.txt
blob: dfeb80b6a6b3a81c879aa3e1e50e8c342e88c37f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
                   ==============================
                   Release Notes for Samba 4.12.6
                          August 13, 2020
		   ==============================


This is the latest stable release of the Samba 4.12 release series.


Changes since 4.12.5
--------------------

o  Jeremy Allison <jra@samba.org>
   * BUG 14403: s3: libsmb: Fix SMB2 client rename bug to a Windows server.

o  Andrew Bartlett <abartlet@samba.org>
   * BUG 14424: dsdb: Allow "password hash userPassword schemes = CryptSHA256"
     to work on RHEL7.
   * BUG 14450: dbcheck: Allow a dangling forward link outside our known NCs.

o  Ralph Boehme <slow@samba.org>
   * BUG 14426: lib/debug: Set the correct default backend loglevel to
     MAX_DEBUG_LEVEL.
   * BUG 14428: PANIC: Assert failed in get_lease_type().

o  Bjoern Jacke <bjacke@samba.org>
   * BUG 14422: util: Fix build on AIX by fixing the order of replace.h include.

o  Volker Lendecke <vl@samba.org>
   * BUG 14355: srvsvc_NetFileEnum asserts with open files.

o  Stefan Metzmacher <metze@samba.org>
   * BUG 14354: KDC breaks with DES keys still in the database and
     msDS-SupportedEncryptionTypes 31 indicating support for it.
   * BUG 14427: s3:smbd: Make sure vfs_ChDir() always sets
     conn->cwd_fsp->fh->fd = AT_FDCWD.
   * BUG 14428: PANIC: Assert failed in get_lease_type().

o  Andreas Schneider <asn@samba.org>
   * BUG 14358: docs: Fix documentation for require_membership_of of
     pam_winbind.conf.

o  Martin Schwenke <martin@meltin.net>
   * BUG 14444: ctdb-scripts: Use nfsconf utility for variable values in CTDB
     NFS scripts.

o  Andrew Walker <awalker@ixsystems.com>
   * BUG 14425: s3:winbind:idmap_ad: Make failure to get attrnames for schema
     mode fatal.


#######################################
Reporting bugs & Development Discussion
#######################################

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================


Release notes for older releases follow:
----------------------------------------

                   ==============================
                   Release Notes for Samba 4.12.5
                            July 02, 2020
		   ==============================


This is the latest stable release of the Samba 4.12 release series.


Changes since 4.12.4
--------------------

o  Jeremy Allison <jra@samba.org>
   * BUG 14301: Fix smbd panic on force-close share during async io.
   * BUG 14374: Fix segfault when using SMBC_opendir_ctx() routine for share
     folder that contains incorrect symbols in any file name.
   * BUG 14391: Fix DFS links.

o  Andrew Bartlett <abartlet@samba.org>
   * BUG 14310: Can't use DNS functionality after a Windows DC has been in
     domain.

o  Alexander Bokovoy <ab@samba.org>
   * BUG 14413: ldapi search to FreeIPA crashes.

o  Isaac Boukris <iboukris@gmail.com>
   * BUG 14396: Add net-ads-join dnshostname=fqdn option.
   * BUG 14406: Fix adding msDS-AdditionalDnsHostName to keytab with Windows DC.

o  Björn Jacke <bj@sernet.de>
   * BUG 14386: docs-xml: Update list of posible VFS operations for
     vfs_full_audit.

o  Volker Lendecke <vl@samba.org>
   * BUG 14382: winbindd: Fix a use-after-free when winbind clients exit.

o  Andreas Schneider <asn@samba.org>
   * BUG 14370: Client tools are not able to read gencache anymore.


#######################################
Reporting bugs & Development Discussion
#######################################

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================


----------------------------------------------------------------------


                   ==============================
                   Release Notes for Samba 4.12.4
                            July 02, 2020
		   ==============================


This is a security release in order to address the following defects:

o CVE-2020-10730: NULL pointer de-reference and use-after-free in Samba AD DC
		  LDAP Server with ASQ, VLV and paged_results.
o CVE-2020-10745: Parsing and packing of NBT and DNS packets can consume
		  excessive CPU
o CVE-2020-10760: LDAP Use-after-free in Samba AD DC Global Catalog with
		  paged_results and VLV.
o CVE-2020-14303: Empty UDP packet DoS in Samba AD DC nbtd.


=======
Details
=======

o  CVE-2020-10730:
   A client combining the 'ASQ' and 'VLV' LDAP controls can cause a NULL pointer
   de-reference and further combinations with the LDAP paged_results feature can
   give a use-after-free in Samba's AD DC LDAP server.

o  CVE-2020-10745: Parsing and packing of NBT and DNS packets can consume
   excessive CPU.

o  CVE-2020-10760:
   The use of the paged_results or VLV controls against the Global Catalog LDAP
   server on the AD DC will cause a use-after-free.

o  CVE-2020-14303:
   The AD DC NBT server in Samba 4.0 will enter a CPU spin and not process
   further requests once it receives an empty (zero-length) UDP packet to
   port 137.

For more details, please refer to the security advisories.


Changes since 4.12.3
--------------------

o  Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
   * BUG 14378: CVE-2020-10745: Invalid DNS or NBT queries containing dots use
     several seconds of CPU each.

o  Andrew Bartlett <abartlet@samba.org>
   * BUG 14364: CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ
     and VLV combined.
   * BUG 14402: CVE-2020-10760: Fix use-after-free in AD DC Global Catalog LDAP
     server with paged_result or VLV.
   * BUG 14417: CVE-2020-14303: Fix endless loop from empty UDP packet sent to
     AD DC nbt_server.

o  Gary Lockyer <gary@catalyst.net.nz>
   * BUG 14364: CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ
     and VLV combined, ldb: Bump version to 2.1.4.  
   

#######################################
Reporting bugs & Development Discussion
#######################################

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================


----------------------------------------------------------------------


                   ==============================
                   Release Notes for Samba 4.12.3
                            May 19, 2020
		   ==============================


This is the latest stable release of the Samba 4.12 release series.


Changes since 4.12.2
--------------------

o  Jeremy Allison <jra@samba.org>
   * BUG 14301: Fix smbd panic on force-close share during async io.
   * BUG 14343: s3: vfs_full_audit: Add missing fcntl entry in vfs_op_names[]
     array.
   * BUG 14361: vfs_io_uring: Fix data corruption with Windows clients.
   * BUG 14372: Fix smbd crashes when MacOS Catalina connects if iconv
     initialization fails.

o  Ralph Boehme <slow@samba.org>
   * BUG 14150: Exporting from macOS Adobe Illustrator creates multiple copies.
   * BUG 14256: smbd does a chdir() twice per request.
   * BUG 14320: smbd mistakenly updates a file's write-time on close.
   * BUG 14350: vfs_shadow_copy2: implement case canonicalisation in
     shadow_copy2_get_real_filename().
   * BUG 14375: Fix Windows 7 clients problem after upgrading samba file server.

o  Alexander Bokovoy <ab@samba.org>
   * BUG 14359: s3: Pass DCE RPC handle type to create_policy_hnd.

o  Isaac Boukris <iboukris@gmail.com>
   * BUG 14155: Fix uxsuccess test with new MIT krb5 library 1.18.
   * BUG 14342: mit-kdc: Explicitly reject S4U requests.

o  Anoop C S <anoopcs@redhat.com>
   * BUG 14352: dbwrap_watch: Set rec->value_valid while returning nested
     share_mode_do_locked().

o  Amit Kumar <amitkuma@redhat.com>
   * BUG 14345: lib:util: Fix smbclient -l basename dir.

o  Volker Lendecke <vl@samba.org>
   * BUG 14336: s3:libads: Fix ads_get_upn().
   * BUG 14348: ctdb: Fix a memleak.
   * BUG 14366: Malicous SMB1 server can crash libsmbclient.

o  Gary Lockyer <gary@catalyst.net.nz>
   * BUG 14330: ldb: Bump version to 2.1.3, LMDB databases can grow without
     bounds

o  Stefan Metzmacher <metze@samba.org>
   * BUG 14361: vfs_io_uring: Fix data corruption with Windows clients.

o  Noel Power <noel.power@suse.com>
   * BUG 14344: s3/librpc/crypto: Fix double free with unresolved credential
     cache.

o  Andreas Schneider <asn@samba.org>
   * BUG 14358: docs-xml: Fix usernames in pam_winbind manpages.


#######################################
Reporting bugs & Development Discussion
#######################################

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================


----------------------------------------------------------------------


                   ==============================
                   Release Notes for Samba 4.12.2
                           April 28, 2020
		   ==============================


This is a security release in order to address the following defects:

o CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ
o CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC


=======
Details
=======

o  CVE-2020-10700:
   A client combining the 'ASQ' and 'Paged Results' LDAP controls can cause a
   use-after-free in Samba's AD DC LDAP server.
o  CVE-2020-10704:
   A deeply nested filter in an un-authenticated LDAP search can exhaust the
   LDAP server's stack memory causing a SIGSEGV.

For more details, please refer to the security advisories.


Changes since 4.12.1
--------------------

o  Andrew Bartlett <abartlet@samba.org>
   * BUG 14331: CVE-2020-10700: Fix use-after-free in AD DC LDAP server when
     ASQ and paged_results combined.

o  Gary Lockyer <gary@catalyst.net.nz>
   * BUG 20454: CVE-2020-10704: Fix LDAP Denial of Service (stack overflow) in
     Samba AD DC.


#######################################
Reporting bugs & Development Discussion
#######################################

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================


----------------------------------------------------------------------


                   ==============================
                   Release Notes for Samba 4.12.1
                           April 07, 2020
		   ==============================


This is the latest stable release of the Samba 4.12 release series.


Changes since 4.12.0
--------------------

o  Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
   * BUG 14295: nmblib: Avoid undefined behaviour in handle_name_ptrs().

o  Björn Baumbach <bb@sernet.de>
   * BUG 14296: samba-tool group: Handle group names with special chars
     correctly.

o  Ralph Boehme <slow@samba.org>
   * BUG 14293: Add missing check for DMAPI offline status in async DOS
     attributes.
   * BUG 14295: Starting ctdb node that was powered off hard before results in
     recovery loop.
   * BUG 14307: smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs.
   * BUG 14316: vfs_recycle: Prevent flooding the log if we're called on
     non-existant paths.

o  Günther Deschner <gd@samba.org>
   * BUG 14313: librpc: Fix IDL for svcctl_ChangeServiceConfigW.
   * BUG 14327: nsswitch: Fix use-after-free causing segfault in
     _pam_delete_cred.

o  Art M. Gallagher <repos@artmg.net>
   * BUG 13622: fruit:time machine max size is broken on arm.

o  Amitay Isaacs <amitay@gmail.com>
   * BUG 14294: CTDB recovery corner cases can cause record resurrection and
     node banning.

o  Noel Power <noel.power@suse.com>
   * BUG 14332: s3/utils: Fix double free error with smbtree.

o  Martin Schwenke <martin@meltin.net>
   * BUG 14294: CTDB recovery corner cases can cause record resurrection and
     node banning.
   * BUG 14295: Starting ctdb node that was powered off hard before results in
     recovery loop.
   * BUG 14324: CTDB recovery daemon can crash due to dereference of NULL
     pointer.


#######################################
Reporting bugs & Development Discussion
#######################################

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================


----------------------------------------------------------------------


                   ==============================
                   Release Notes for Samba 4.12.0
                           March 03, 2020
		   ==============================


This is the first stable release of the Samba 4.12 release series.
Please read the release notes carefully before upgrading.


NEW FEATURES/CHANGES
====================

Python 3.5 Required
-------------------

Samba's minimum runtime requirement for python was raised to Python
3.4 with samba 4.11.  Samba 4.12 raises this minimum version to Python
3.5 both to access new features and because this is the oldest version
we test with in our CI infrastructure.

(Build time support for the file server with Python 2.6 has not
changed)

Removing in-tree cryptography: GnuTLS 3.4.7 required
----------------------------------------------------

Samba is making efforts to remove in-tree cryptographic functionality,
and to instead rely on externally maintained libraries.  To this end,
Samba has chosen GnuTLS as our standard cryptographic provider.

Samba now requires GnuTLS 3.4.7 to be installed (including development
headers at build time) for all configurations, not just the Samba AD
DC.

Thanks to this work Samba no longer ships an in-tree DES
implementation and on GnuTLS 3.6.5 or later Samba will include no
in-tree cryptography other than the MD4 hash and that
implemented in our copy of Heimdal.

Using GnuTLS for SMB3 encryption you will notice huge performance and copy
speed improvements. Tests with the CIFS Kernel client from Linux Kernel 5.3
show a 3x speed improvement for writing and a 2.5x speed improvement for reads!

NOTE WELL: The use of GnuTLS means that Samba will honour the
system-wide 'FIPS mode' (a reference to the US FIPS-140 cryptographic
standard) and so will not operate in many still common situations if
this system-wide parameter is in effect, as many of our protocols rely
on outdated cryptography.

A future Samba version will mitigate this to some extent where good
cryptography effectively wraps bad cryptography, but for now that above
applies.

zlib library is now required to build Samba
-------------------------------------------

Samba no longer includes a local copy of zlib in our source tarball.
By removing this we do not need to ship (even where we did not
build) the old, broken zip encryption code found there.

New Spotlight backend for Elasticsearch
---------------------------------------

Support for the macOS specific Spotlight search protocol has been enhanced
significantly. Starting with 4.12 Samba supports using Elasticsearch as search
backend. Various new parameters have been added to configure this:

  spotlight backend = noindex | elasticsearch | tracker
  elasticsearch:address = ADDRESS
  elasticsearch:port = PORT
  elasticsearch:use tls = BOOLEAN
  elasticsearch:index = INDEXNAME
  elasticsearch:mappings = PATH
  elasticsearch:max results = NUMBER

Samba also ships a Spotlight client command "mdfind" which can be used to search
any SMB server that runs the Spotlight RPC service. See the manpage of mdfind
for details.

Note that when upgrading existing installations that are using the previous
default Spotlight backend Gnome Tracker must explicitly set "spotlight backend =
tracker" as the new default is "noindex".

'net ads kerberos pac save' and 'net eventlog export'
-----------------------------------------------------

The 'net ads kerberos pac save' and 'net eventlog export' tools will
no longer silently overwrite an existing file during data export.  If
the filename given exits, an error will be shown.

Fuzzing
-------

A large number of fuzz targets have been added to Samba, and Samba has
been registered in Google's oss-fuzz cloud fuzzing service.  In
particular, we now have good fuzzing coverage of our generated NDR
parsing code.

A large number of issues have been found and fixed thanks to this
effort.

'samba-tool' improvements add contacts as member to groups
----------------------------------------------------------

Previously 'samba-tool group addmemers' can just add users, groups and
computers as members to groups. But also contacts can be members of
groups. Samba 4.12 adds the functionality to add contacts to
groups. Since contacts have no sAMAccountName, it's possible that
there are more than one contact with the same name in different
organizational units. Therefore it's necessary to have an option to
handle group members by their DN.

To get the DN of an object there is now the "--full-dn" option available
for all necessary commands.

The MS Windows UI allows to search for specific types of group members
when searching for new members for a group. This feature is included
here with the new samba-tool group addmembers "--object-type=OBJECTYPE"
option. The different types are selected accordingly to the Windows
UI. The default samba-toole behaviour shouldn't be changed.

Allow filtering by OU or subtree in samba-tool
----------------------------------------------

A new "--base-dn" and "--member-base-dn" option is added to relevant
samba-tool user, group and ou management commands to allow operation
on just one part of the AD tree, such as a single OU.

VFS
===

SMB_VFS_NTIMES
--------------

Samba now uses a sentinel value based on utimensat(2) UTIME_OMIT to denote
to-be-ignored timestamp variables passed to the SMB_VFS_NTIMES() VFS function.

VFS modules can check whether any of the time values inside a struct
smb_file_time is to be ignored by calling is_omit_timespec() on the value.

'io_uring' vfs module
---------------------

The module makes use of the new io_uring infrastructure
(intruduced in Linux 5.1), see https://lwn.net/Articles/776703/

Currently this implements SMB_VFS_{PREAD,PWRITE,FSYNC}_SEND/RECV
and avoids the overhead of the userspace threadpool in the default
vfs backend. See also vfs_io_uring(8).

In order to build the module you need the liburing userspace library
and its developement headers installed, see
https://git.kernel.dk/cgit/liburing/

At runtime you'll need a Linux kernel with version 5.1 or higher.
Note that 5.4.14 and 5.4.15 have a regression that breaks the Samba
module! The regression was fixed in Linux 5.4.16 again.

MS-DFS changes in the VFS
-------------------------

This release changes set getting and setting of MS-DFS redirects
on the filesystem to go through two new VFS functions:

SMB_VFS_CREATE_DFS_PATHAT()
SMB_VFS_READ_DFS_PATHAT()

instead of smbd explicitly storing MS-DFS redirects inside
symbolic links on the filesystem. The underlying default
implementations of this has not changed, the redirects are
still stored inside symbolic links on the filesystem, but
moving the creation and reading of these links into the VFS
as first-class functions now allows alternate methods of
storing them (maybe in extended attributes) for OEMs who
don't want to mis-use filesystem symbolic links in this
way.


CTDB changes
============

* The ctdb_mutex_fcntl_helper periodically re-checks the lock file

  The re-check period is specified using a 2nd argument to this
  helper.  The default re-check period is 5s.

  If the file no longer exists or the inode number changes then the
  helper exits.  This triggers an election.


REMOVED FEATURES
================

The smb.conf parameter "write cache size" has been removed.

Since the in-memory write caching code was written, our write path has
changed significantly. In particular we have gained very flexible
support for async I/O, with the new linux io_uring interface in
development.  The old write cache concept which cached data in main
memory followed by a blocking pwrite no longer gives any improvement
on modern systems, and may make performance worse on memory-contrained
systems, so this functionality should not be enabled in core smbd
code.

In addition, it complicated the write code, which is a performance
critical code path.

If required for specialist purposes, it can be recreated as a VFS
module.

Retiring DES encryption types in Kerberos.
------------------------------------------
With this release, support for DES encryption types has been removed from
Samba, and setting DES_ONLY flag for an account will cause Kerberos
authentication to fail for that account (see RFC-6649).

Samba-DC: DES keys no longer saved in DB.
-----------------------------------------
When a new password is set for an account, Samba DC will store random keys
in DB instead of DES keys derived from the password.  If the account is being
migrated to Windbows or to an older version of Samba in order to use DES keys,
the password must be reset to make it work.

Heimdal-DC: removal of weak-crypto.
-----------------------------------
Following removal of DES encryption types from Samba, the embedded Heimdal
build has been updated to not compile weak crypto code (HEIM_WEAK_CRYPTO).

vfs_netatalk: The netatalk VFS module has been removed.
-------------------------------------------------------

The netatalk VFS module has been removed. It was unmaintained and is not needed
any more.

BIND9_FLATFILE deprecated
-------------------------

The BIND9_FLATFILE DNS backend is deprecated in this release and will
be removed in the future.  This was only practically useful on a single
domain controller or under expert care and supervision.

This release removes the 'rndc command' smb.conf parameter, which
supported this configuration by writing out a list of DCs permitted to
make changes to the DNS Zone and nudging the 'named' server if a new
DC was added to the domain.  Administrators using BIND9_FLATFILE will
need to maintain this manually from now on.


smb.conf changes
================

  Parameter Name                     Description                Default
  --------------                     -----------                -------

  elasticsearch:address              New                        localhost
  elasticsearch:port                 New                        9200
  elasticsearch:use tls              New                        No
  elasticsearch:index                New                        _all
  elasticsearch:mappings             New                        DATADIR/elasticsearch_mappings.json
  elasticsearch:max results          New                        100
  nfs4:acedup                        Changed default            merge
  rndc command                       Removed
  write cache size                   Removed
  spotlight backend		     New			noindex


CHANGES SINCE 4.12.0rc4
=======================

o  Andrew Bartlett <abartlet@samba.org>
   * BUG 14258: dsdb: Correctly handle memory in objectclass_attrs.


CHANGES SINCE 4.12.0rc3
=======================

o  Jeremy Allison <jra@samba.org>
   * BUG 14269: s3: DFS: Don't allow link deletion on a read-only share.

o  Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
   * BUG 14284: pidl/wscript: configure should insist on Parse::Yapp::Driver.

o  Andrew Bartlett <abartlet@samba.org>
   * BUG 14270: ldb: Fix search with scope ONE and small result sets.
   * BUG 14284: build: Do not check if system perl modules should be bundled.

o  Volker Lendecke <vl@samba.org>
   * BUG 14285: smbd fails to handle EINTR from open(2) properly.

o  Stefan Metzmacher <metze@samba.org>
   * BUG 14270: ldb: version 2.1.1.


CHANGES SINCE 4.12.0rc2
=======================

o  Jeremy Allison <jra@samba.org>
   * BUG 14282: Set getting and setting of MS-DFS redirects on the filesystem
     to go through two new VFS functions SMB_VFS_CREATE_DFS_PATHAT() and
     SMB_VFS_READ_DFS_PATHAT().

o  Andrew Bartlett <abartlet@samba.org>
   * BUG 14255: bootstrap: Remove un-used dependency python3-crypto.

o  Volker Lendecke <vl@samba.org>
   * BUG 14247: Fix CID 1458418 and 1458420.
   * BUG 14281: lib: Fix a shutdown crash with "clustering = yes".

o  Stefan Metzmacher <metze@samba.org>
   * BUG 14247: Winbind member (source3) fails local SAM auth with empty domain
     name.
   * BUG 14265: winbindd: Handle missing idmap in getgrgid().
   * BUG 14271: Don't use forward declaration for GnuTLS typedefs.
   * BUG 14280: Add io_uring vfs module.

o  Andreas Schneider <asn@samba.org>
   * BUG 14250: libcli:smb: Improve check for gnutls_aead_cipher_(en|de)cryptv2.


CHANGES SINCE 4.12.0rc1
=======================

o  Jeremy Allison <jra@samba.org>
   * BUG 14239: s3: lib: nmblib. Clean up and harden nmb packet processing.

o  Andreas Schneider <asn@samba.org>
   * BUG 14253: lib:util: Log mkdir error on correct debug levels.


KNOWN ISSUES
============

https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.12#Release_blocking_bugs


#######################################
Reporting bugs & Development Discussion
#######################################

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================