1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
|
Release Announcements
=====================
This is the first preview release of Samba 4.7. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
Samba 4.7 will be the next version of the Samba suite.
UPGRADING
=========
NEW FEATURES/CHANGES
====================
Samba AD with MIT Kerberos
--------------------------
After four years of development, Samba finally supports compiling and
running Samba AD with MIT Kerberos. You can enable it with:
./configure --with-system-mitkrb5
Samba requires version 1.15.1 of MIT Kerberos to build with AD DC support.
The krb5-devel and krb5-server packages are required.
The feature set is not on par with with the Heimdal build but the most important
things, like forest and external trusts, are working. Samba uses the KDC binary
provided by MIT Kerberos.
Missing features, compared to Heimdal, are:
* PKINIT support
* S4U2SELF/S4U2PROXY support
* RODC support (not fully working with Heimdal either)
The Samba AD process will take care of starting the MIT KDC and it will load a
KDB (Kerberos Database) driver to access the Samba AD database. When
provisioning an AD DC using 'samba-tool' it will take care of creating a correct
kdc.conf file for the MIT KDC. Note that 'samba-tool' will overwrite the system
kdc.conf by default. It is possible to use a different location during
provision. You should consult the 'samba-tool' help and smb.conf manpage for
details.
Dynamic RPC port range
----------------------
The dynamic port range for RPC services has been changed from the old default
value 1024-1300 to 49152-65535. This port range is not only used by a
Samba AD DC but also applies to all other server roles including NT4-style
domain controllers. The new value has been defined by Microsoft in Windows
Server 2008 and newer versions. To make it easier for Administrators to control
those port ranges we use the same default and make it configureable with the
option: 'rpc server dynamic port range'.
The 'rpc server port' option sets the first available port from the new
'rpc server dynamic port range' option. The option 'rpc server port' only
applies to Samba provisioned as an AD DC.
Authentication and Authorization audit support
----------------------------------------------
Detailed authentication and authorization audit information is now
logged to Samba's debug logs under the "auth_audit" debug class,
including in particular the client IP address triggering the audit
line. Additionally, if Samba is compiled against the jansson JSON
library, a JSON representation is logged under the "auth_json_audit"
debug class.
Audit support is comprehensive for all authentication and
authorisation of user accounts in the Samba Active Directory Domain
Controller, as well as the implicit authentication in password
changes. In the file server and classic/NT4 domain controller, NTLM
authentication, SMB and RPC authorization is covered, however password
changes are not at this stage, and this support is not currently
backed by a testsuite.
Query record for open file or directory
---------------------------------------
The record attached to an open file or directory in Samba can be
queried through the 'net tdb locking' command. In clustered Samba this
can be useful to determine the file or directory triggering
corresponding "hot" record warnings in ctdb.
Parameter changes
-----------------
The "strict sync" global parameter has been changed from
a default of "no" to "yes". This means smbd will by default
obey client requests to synchronize unwritten data in operating
system buffers safely onto disk. This is a safer default setting
for modern SMB1/2/3 clients.
smb.conf changes
================
Parameter Name Description Default
-------------- ----------- -------
auth event notification New parameter no
auth methods Deprecated
map untrusted to domain New value/ auto
Default changed/
Deprecated
profile acls Deprecated
strict sync Default changed yes
Removal of lpcfg_register_defaults_hook()
-----------------------------------------
The undocumented and unsupported function lpcfg_register_defaults_hook()
that was used by external projects to call into Samba and modify
smb.conf default parameter settings has been removed. If your project
was using this call please raise the issue on
samba-technical@lists.samba.org in order to design a supported
way of obtaining the same functionality.
Change of loadable module interface
-----------------------------------
The _init function of all loadable modules in Samba has changed
from:
NTSTATUS _init(void);
to:
NTSTATUS _init(TALLOC_CTX *);
This allows a program loading a module to pass in a long-lived
talloc context (which must be guaranteed to be alive for the
lifetime of the module). This allows modules to avoid use of
the talloc_autofree_context() (which is inherently thread-unsafe)
and still be valgrind-clean on exit. Modules that don't need to
free long-lived data on exist should use the NULL talloc context.
KNOWN ISSUES
============
https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.7#Release_blocking_bugs
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
|
