1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
|
Release Announcements
=====================
This is the first preview release of Samba 4.11. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
Samba 4.11 will be the next version of the Samba suite.
UPGRADING
=========
NEW FEATURES/CHANGES
====================
Default samba process model
---------------------------
The default for the --model argument passed to the samba executable has changed
from 'standard' to 'prefork'. This means a difference in the number of samba
child processes that are created to handle client connections. The previous
default would create a separate process for every LDAP or NETLOGON client
connection. For a network with a lot of persistent client connections, this
could result in significant memory overhead. Now, with the new default of
'prefork', the LDAP, NETLOGON, and KDC services will create a fixed number of
worker processes at startup and share the client connections amongst these
workers. The number of worker processes can be configured by the 'prefork
children' setting in the smb.conf (the default is 4).
Authentication Logging.
-----------------------
Winbind now logs PAM_AUTH and NTLM_AUTH events, a new attribute "logonId" has
been added to the Authentication JSON log messages. This contains a random
logon id that is generated for each PAM_AUTH and NTLM_AUTH request and is passed
to SamLogon, linking the windbind and SamLogon requests.
The serviceDescription of the messages is set to "winbind", the authDescription
is set to one of:
"PASSDB, <command>, <pid>"
"PAM_AUTH, <command>, <pid>"
"NTLM_AUTH, <command>, <pid>"
where:
<command> is the name of the command makinmg the winbind request i.e. wbinfo
<pid> is the process id of the requesting process.
The version of the JSON Authentication messages has been changed to 1.2 from 1.1
LDAP referrals
--------------
The scheme of returned LDAP referrals now reflects the scheme of the original
request, i.e. referrals received via ldap are prefixed with "ldap://"
and those over ldaps are prefixed with "ldaps://"
Previously all referrals were prefixed with "ldap://"
Bind9 logging
-------------
It is now possible to log the duration of DNS operations performed by Bind9
This should aid future diagnosis of performance issues, and could be used to
monitor DNS performance. The logging is enabled by setting log level to
"dns:10" in smb.conf
The logs are currently Human readable text only, i.e. no JSON formatted output.
Log lines are of the form:
<function>: DNS timing: result: [<result>] duration: (<duration>)
zone: [<zone>] name: [<name>] data: [<data>]
durations are in microseconds.
Default schema updated to 2012_R2
---------------------------------
Default AD schema changed from 2008_R2 to 2012_R2. 2012_R2 functional level
is not yet available. Older schemas can be used by provisioning with the
'--base-schema' argument. Existing installations can be updated with the
samba-tool command "domain schemaupgrade".
Samba's replication code has also been improved to handle replication
with the 2012 schema (the core of this replication fix has also been
backported to 4.9.11 and will be in a 4.10.x release).
100,000 USER and LARGER Samba AD DOMAINS
========================================
Extensive efforts have been made to optimise Samba for use in
organisations (for example) targeting 100,000 users, plus 120,000
computer objects, as well as large number of group memberships.
Many of the specific efforts are detailed below, but the net results
is to remove barriers to significantly larger Samba deployments
compared to previous releases.
Reindex performance improvements
--------------------------------
The performance of samba-tool dbcheck --reindex has been improved,
especially for large domains.
join performance improvements
-----------------------------
The performance of samba-tool domain join has been improved,
especially for large domains.
LDAP Server memory improvements
-------------------------------
The LDAP server has improved memory efficiency, ensuring that large
LDAP responses (for example a search for all objects) is not copied
multiple times into memory.
Setting lmdb map size
---------------------
It is now possible to set the lmdb map size (The maximum permitted
size for the database). "samba-tool" now accepts the
"--backend-store-size" i.e. --backend-store-size=4Gb. If not
specified it defaults to 8Gb.
This option is avaiable for the following sub commands:
* domain provision
* domain join
* domain dcpromo
* drs clone-dc-database
LDB "batch_mode"
----------------
To improve performance during batch operations i.e. joins, ldb now
accepts a "batch_mode" option. However to prevent any index or
database inconsistencies if an operation fails, the entire transaction
will be aborted at commit.
New LDB pack format
-------------------
On first use (startup of 'samba' or the first transaction write)
Samba's sam.ldb will be updated to a new more efficient pack format.
This will take a few moments.
New LDB <= and >= index mode to improve replication performance
---------------------------------------------------------------
As well as a new pack format, Samba's sam.ldb uses a new index format
allowing Samba to efficiently select objects changed since the last
replication cycle. This in turn improves performance during
replication of large domains.
Improvements to ldb search performance
--------------------------------------
Search performance on large LDB databases has been improved by
reducing memory allocations made on each object.
Improvements to subtree rename performance
------------------------------------------
Improvements have been made to Samba's handling of subtree renames,
for example of containers and organisational units, however large
renames are still not recommended.
REMOVED FEATURES
================
Web server
----------
As a leftover from work related to the Samba Web Administration Tool (SWAT),
Samba still supported a Python WSGI web server (which could still be turned on
from the 'server services' smb.conf parameter). This service was unused and has
now been removed from Samba.
samba-tool join subdommain
--------------------------
The subdommain role has been removed from the join command. This option did
not work and has no tests.
Python2 support
---------------
Samba 4.11 will not have any runtime support for Python 2.
If you are building Samba using the '--disable-python' option
(i.e. you're excluding all the run-time Python support), then this
will continue to work on a system that supports either python2 or
python3.
To build Samba with python2 you *must* set the 'PYTHON' environment
variable for both the 'configure' and 'make' steps, i.e.
'PYTHON=python2 ./configure'
'PYTHON=python2 make'
This will override the python3 default.
Except for this specific build-time use of python2, Samba now requires
Python 3.4 as a minimum.
smb.conf changes
================
Parameter Name Description Default
-------------- ----------- -------
web port Removed
fruit:zero_file_id Changed default False
KNOWN ISSUES
============
https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.11#Release_blocking_bugs
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
|
