1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
|
Release Announcements
=====================
This is the first preview release of Samba 4.9. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
Samba 4.9 will be the next version of the Samba suite.
UPGRADING
=========
NEW FEATURES/CHANGES
====================
net ads setspn
---------------
There is a new 'net ads setspn' sub command for managing Windows SPN(s)
on the AD. This command aims to give the basic functionaility that is
provided on windows by 'setspn.exe' e.g. ability to add, delete and list
Windows SPN(s) stored in a Windows AD Computer object.
The format of the command is:
net ads setspn list [machine]
net ads setspn [add | delete ] SPN [machine]
'machine' is the name of the computer account on the AD that is to be managed.
If 'machine' is not specified the name of the 'client' running the command
is used instead.
The format of a Windows SPN is
'serviceclass/host:port/servicename' (servicename and port are optional)
serviceclass/host is generally sufficient to specify a host based service.
net ads keytab changes
----------------------
net ads keytab add no longer attempts to convert the passed serviceclass
(e.g. nfs, html etc.) into a Windows SPN which is added to the Windows AD
computer object. By default just the keytab file is modified.
A new keytab subcommand 'add_update_ads' has been added to preserve the
legacy behaviour. However the new 'net ads setspn add' subcommand should
really be used instead.
net ads keytab create no longer tries to generate SPN(s) from existing
entries in a keytab file. If it is required to add Windows SPN(s) then
'net ads setspn add' should be used instead.
Local authorization plugin for MIT Kerberos
-------------------------------------------
This plugin controls the relationship between Kerberos principals and AD
accounts through winbind. The module receives the Kerberos principal and the
local account name as inputs and can then check if they match. This can resolve
issues with canonicalized names returned by Kerberos within AD. If the user
tries to log in as 'alice', but the samAccountName is set to ALICE (uppercase),
Kerberos would return ALICE as the username. Kerberos would not be able to map
'alice' to 'ALICE' in this case and auth would fail. With this plugin account
names can be correctly mapped. This only applies to GSSAPI authentication,
not for the geting the initial ticket granting ticket.
Database audit support
----------------------
Changes to the Samba AD's sam.ldb database are now logged to Samba's debug log
under the "dsdb_audit" debug class and "dsdb_json_audit" for JSON formatted log
entries.
Transaction commits and roll backs are now logged to Samba's debug logs under
the "dsdb_transaction_audit" debug class and "dsdb_transaction_json_audit" for
JSON formatted log entries.
Password change audit support
-----------------------------
Password changes in the AD DC are now logged to Samba's debug logs under the
"dsdb_password_audit" debug class and "dsdb_password_json_audit" for JSON
formatted log entries.
Group membership change audit support
-------------------------------------
Group membership changes on the AD DC are now logged to
Samba's debug log under the "dsdb_group_audit" debug class and
"dsdb_group_json_audit" for JSON formatted log entries.
Log Authentication duration
---------------------------
For NTLM and Kerberos KDC authentication, the authentication duration is now
logged. Note that the duration is only included in the JSON formatted log
entries.
New Experimental LMDB LDB backend
---------------------------------
A new experimental LDB backend using LMBD is now available. This allows
databases larger than 4Gb (Currently the limit is set to 6Gb, but this will be
increased in a future release). To enable lmdb, provision or join a domain using
the --backend-store=mdb option.
This requires that a version of lmdb greater than 0.9.16 is installed and that
samba has not been built with the --without-ldb-lmdb option.
Please note this is an experimental feature and is not recommended for
production deployments.
REMOVED FEATURES
================
smb.conf changes
================
As the most popular Samba install platforms (Linux and FreeBSD) both
support extended attributes by default, the parameters "map readonly",
"store dos attributes" and "ea support" have had their defaults changed
to allow better Windows fileserver compatibility in a default install.
Parameter Name Description Default
-------------- ----------- -------
map readonly Default changed no
store dos attributes Default changed yes
ea support Default changed yes
VFS interface changes
=====================
The VFS ABI interface version has changed to 39. Function changes
are:
SMB_VFS_FSYNC: Removed: Only async versions are used.
SMB_VFS_READ: Removed: Only PREAD or async versions are used.
SMB_VFS_WRITE: Removed: Only PWRITE or async versions are used.
SMB_VFS_CHMOD_ACL: Removed: Only CHMOD is used.
SMB_VFS_FCHMOD_ACL: Removed: Only FCHMOD is used.
Any external VFS modules will need to be updated to match these
changes in order to work with 4.9.x.
KNOWN ISSUES
============
https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.9#Release_blocking_bugs
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
|
