The branch, master has been updated via f3d5831 Announce Samba 4.2.0. from 6f6d51d news: Add link to the survey.
https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit f3d5831cb8eaffd3683051ff68f4ade09a41eab7 Author: Karolin Seeger <ksee...@samba.org> Date: Wed Mar 4 21:11:12 2015 +0100 Announce Samba 4.2.0. Signed-off-by: Karolin Seeger <ksee...@samba.org> ----------------------------------------------------------------------- Summary of changes: devel/index.html | 30 +- generated_news/latest_10_bodies.html | 24 +- generated_news/latest_10_headlines.html | 4 +- generated_news/latest_2_bodies.html | 23 +- history/header_history.html | 1 + history/samba-4.2.0.html | 686 ++++++++++++++++++++++++++++++++ latest_stable_release.html | 6 +- 7 files changed, 729 insertions(+), 45 deletions(-) create mode 100755 history/samba-4.2.0.html Changeset truncated at 500 lines: diff --git a/devel/index.html b/devel/index.html index ea57ded..e7ac1bf 100755 --- a/devel/index.html +++ b/devel/index.html @@ -17,12 +17,12 @@ original Subversion and CVS trees; this would include 3.0.x and 2.2.x versions of Samba, which are no longer in active development. </p> -<p>With the release of Samba 4.1.0, the 4.0 series has been turned into +<p>With the release of Samba 4.2.0, the 4.1 series has been turned into maintenance mode, which means severe bug fixes and security fixes only.</p> -<p>There will be security fixes only for the 3.6 series.</p> +<p>There will be security fixes only for the 4.0 series.</p> -<p>The 3.5 series will be discontinued.</p> +<p>The 3.6 series will be discontinued.</p> <p>For more details on the release series, current schedules and release modi, please see @@ -58,30 +58,30 @@ Release Planning</a>.</p> <p>This is the current Samba development branch.</p> </li> <li> - <h4><em>v3-6-test</em></h4> - <p>This is the current branch for 3.6.x maintenance releases + <h4><em>v4-0-test</em></h4> + <p>This is the current branch for 4.0.x maintenance releases (security fixes <em>only</em>).</p> </li> <li> - <h4><em>v3-6-stable</em></h4> - <p>This is the current branch for 3.6.x maintenance releases + <h4><em>v4-0-stable</em></h4> + <p>This is the current branch for 4.0.x maintenance releases (security fixes <em>only</em>).</p> </li> <li> - <h4><em>v4-0-test</em></h4> - <p>This is the current branch for 4.0.x maintenance releases.</p> + <h4><em>v4-1-test</em></h4> + <p>This is the current branch for 4.1.x development.</p> </li> <li> - <h4><em>v4-0-stable</em></h4> - <p>This is the current branch for 4.0.x maintenance releases.</p> + <h4><em>v4-1-stable</em></h4> + <p>This is the current branch for 4.1.x maintenance releases.</p> </li> <li> - <h4><em>v4-1-test</em></h4> - <p>This is the current branch for 4.1.x development.</p> + <h4><em>v4-2-test</em></h4> + <p>This is the current branch for 4.2.x development.</p> </li> <li> - <h4><em>v4-1-stable</em></h4> - <p>This is the current branch for 4.1.x production releases.</p> + <h4><em>v4-2-stable</em></h4> + <p>This is the current branch for 4.2.x production releases.</p> </li> </ul> diff --git a/generated_news/latest_10_bodies.html b/generated_news/latest_10_bodies.html index 3ad1243..3d4226d 100644 --- a/generated_news/latest_10_bodies.html +++ b/generated_news/latest_10_bodies.html @@ -1,3 +1,14 @@ + <h5><a name="4.2.0">04 March 2015</a></h5> + <p class="headline">Samba 4.2.0 Available for Download</p> + <p>This is the first stable release of the Samba 4.2 series.</p> + +<p>The uncompressed tarballs and patch files have been signed +using GnuPG (ID 6568B7EA). The source code can be +<a href="http://samba.org/samba/ftp/stable/samba-4.2.0.tar.gz">downloaded +now</a>. See <a href="http://samba.org/samba/history/samba-4.0.23.html"> + the release notes for more info</a>.</p> + + <h5><a name="survey2015">02 March 2015</a></h5> <p class="headline">Calling all Samba Users: 2015 User Survey</p> <p>What Samba features do you care about most? Do you have problems or @@ -116,16 +127,3 @@ now</a>. A <a href="http://samba.org/samba/ftp/patches/patch-4.0.22-4.0.23.diffs patch against Samba 4.0.22</a> is also available. See <a href="http://samba.org/samba/history/samba-4.0.23.html"> the release notes for more info</a>.</p> - - - <h5><a name="4.1.14">01 December 2014</a></h5> - <p class="headline">Samba 4.1.14 Available for Download</p> - <p>This is the latest stable release of the Samba 4.1 series.</p> - -<p>The uncompressed tarballs and patch files have been signed -using GnuPG (ID 6568B7EA). The source code can be -<a href="http://samba.org/samba/ftp/stable/samba-4.1.14.tar.gz">downloaded -now</a>. A <a href="http://samba.org/samba/ftp/patches/patch-4.1.13-4.1.14.diffs.gz"> -patch against Samba 4.1.13</a> is also available. See -<a href="http://samba.org/samba/history/samba-4.1.14.html"> the release notes - for more info</a>.</p> diff --git a/generated_news/latest_10_headlines.html b/generated_news/latest_10_headlines.html index 9acb449..e7ea696 100644 --- a/generated_news/latest_10_headlines.html +++ b/generated_news/latest_10_headlines.html @@ -1,4 +1,6 @@ <ul> + <li> 04 March 2015 <a href="#4.2.0">Samba 4.2.0 Available for Download</a></li> + <li> 02 March 2015 <a href="#survey2015">Calling all Samba Users: 2015 User Survey</a></li> @@ -21,6 +23,4 @@ <li> 20 December 2014 <a href="#4.2.0rc3">Samba 4.2.0rc3 Available for Download</a></li> <li> 15 September 2014 <a href="#4.0.22">Samba 4.0.22 Available for Download</a></li> - - <li> 01 December 2014 <a href="#4.1.14">Samba 4.1.14 Available for Download</a></li> </ul> diff --git a/generated_news/latest_2_bodies.html b/generated_news/latest_2_bodies.html index a80366c..641a31a 100644 --- a/generated_news/latest_2_bodies.html +++ b/generated_news/latest_2_bodies.html @@ -1,3 +1,14 @@ + <h5><a name="4.2.0">04 March 2015</a></h5> + <p class="headline">Samba 4.2.0 Available for Download</p> + <p>This is the first stable release of the Samba 4.2 series.</p> + +<p>The uncompressed tarballs and patch files have been signed +using GnuPG (ID 6568B7EA). The source code can be +<a href="http://samba.org/samba/ftp/stable/samba-4.2.0.tar.gz">downloaded +now</a>. See <a href="http://samba.org/samba/history/samba-4.0.23.html"> + the release notes for more info</a>.</p> + + <h5><a name="survey2015">02 March 2015</a></h5> <p class="headline">Calling all Samba Users: 2015 User Survey</p> <p>What Samba features do you care about most? Do you have problems or @@ -5,15 +16,3 @@ most important to you?</p> <p>The Samba Team invites all users to participate in the <a href="https://www.surveygizmo.com/s3/2020369/Samba-User-Survey-2015">Samba Survey</a>.</p> - - - <h5><a name="4.2.0rc5">24 February 2015</a></h5> - <p class="headline">Samba 4.2.0rc5 Available for Download</p> - <p>This is the fifth release candidate of the upcoming Samba 4.2 release - series. It includes the fix for CVE-2015-0240 and other bug fixes.</p> - -<p>The uncompressed tarballs and patch files have been signed -using GnuPG (ID 6568B7EA). The source code can be -<a href="https://download.samba.org/pub/samba/rc/samba-4.2.0rc5.tar.gz">downloaded -now</a>. See <a href="https://download.samba.org/pub/samba/rc/WHATSNEW-4.2.0rc5.txt"> -the release notes for more info</a>.</p> diff --git a/history/header_history.html b/history/header_history.html index 5c2f874..1445de4 100755 --- a/history/header_history.html +++ b/history/header_history.html @@ -10,6 +10,7 @@ <li class="navSub"> <ul> <li><a href="/samba/security/CVE-2013-0454.html">CVE-2013-0454</a></li> + <li><a href="samba-4.2.0.html">samba-4.2.0</a></li> <li><a href="samba-4.1.17.html">samba-4.1.17</a></li> <li><a href="samba-4.1.16.html">samba-4.1.16</a></li> <li><a href="samba-4.1.15.html">samba-4.1.15</a></li> diff --git a/history/samba-4.2.0.html b/history/samba-4.2.0.html new file mode 100755 index 0000000..79d7023 --- /dev/null +++ b/history/samba-4.2.0.html @@ -0,0 +1,686 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> + +<head> +<title>Samba - Release Notes Archive</title> +</head> + +<body> + + <H2>Samba 4.2.0 Available for Download</H2> + +<p> +<pre> + ============================= + Release Notes for Samba 4.2.0 + March 04, 2015 + ============================= + + +This is is the first stable release of Samba 4.2. + +Samba 4.2 will be the next version of the Samba suite. + + +Samba User Survey 2015 +====================== + +https://www.surveygizmo.com/s3/2020369/Samba-User-Survey-2015 + +Please take our survey. It will help us improve Samba by understanding +your knowledge and needs. The survey runs until end of March 2015 and +won't ask for any personal info. The full results will be shared with +the Samba Team, and statistical summaries will be shared with the +Samba community after the SambaXP conference (http://sambaxp.org). + + +IMPORTANT NOTE ABOUT THE SUPPORT END OF SAMBA 3 +================================================= + +With the final release of Samba 4.2, the last series of Samba 3 has +been discontinued! People still running 3.6.x or earlier,should +consider moving to a more recent and maintained version (4.0 - 4.2). +One of the common misconceptions is that Samba 4.x automatically +means "Active Directory only": This is wrong! + +Acting as an Active Directory Domain Controller is just one of the +enhancements included in Samba 4.0 and later. Version 4.0 was just the +next release after the 3.6 series and contains all the features of the +previous ones - including the NT4-style (classic) domain support. This +means you can update a Samba 3.x NT4-style PDC to 4.x, just as you've +updated in the past (e.g. from 3.4.x to 3.5.x). You don't have to move +your NT4-style domain to an Active Directory! + +And of course the possibility remains unchanged, to setup a new NT4-style +PDC with Samba 4.x, like done in the past (e.g. with openLDAP backend). +Active Directory support in Samba 4 is additional and does not replace +any of these features. We do understand the difficulty presented by +existing LDAP structures and for that reason there isn't a plan to +decommission the classic PDC support. It remains tested by the continuous +integration system. + +The code that supports the classic Domain Controller is also the same +code that supports the internal 'Domain' of standalone servers and +Domain Member Servers. This means that we still use this code, even +when not acting as an AD Domain Controller. It is also the basis for +some of the features of FreeIPA and so it gets development attention +from that direction as well. + + +UPGRADING +========= + +Read the "Winbindd/Netlogon improvements" section (below) carefully! + + +NEW FEATURES +============ + +Transparent File Compression +============================ + +Samba 4.2.0 adds support for the manipulation of file and folder +compression flags on the Btrfs filesystem. +With the Btrfs Samba VFS module enabled, SMB2+ compression flags can +be set remotely from the Windows Explorer File->Properties->Advanced +dialog. Files flagged for compression are transparently compressed +and uncompressed when accessed or modified. + +Previous File Versions with Snapper +=================================== + +The newly added Snapper VFS module exposes snapshots managed by +Snapper for use by Samba. This provides the ability for remote +clients to access shadow-copies via Windows Explorer using the +"previous versions" dialog. + +Winbindd/Netlogon improvements +============================== + +The whole concept of maintaining the netlogon secure channel +to (other) domain controllers was rewritten in order to maintain +global state in a netlogon_creds_cli.tdb. This is the proper fix +for a large number of bugs: + + https://bugzilla.samba.org/show_bug.cgi?id=6563 + https://bugzilla.samba.org/show_bug.cgi?id=7944 + https://bugzilla.samba.org/show_bug.cgi?id=7945 + https://bugzilla.samba.org/show_bug.cgi?id=7568 + https://bugzilla.samba.org/show_bug.cgi?id=8599 + +In addition a strong session key is now required by default, +which means that communication to older servers or clients +might be rejected by default. + +For the client side we have the following new options: +"require strong key" (yes by default), "reject md5 servers" (no by default). +E.g. for Samba 3.0.37 you need "require strong key = no" and +for NT4 DCs you need "require strong key = no" and "client NTLMv2 auth = no", + +On the server side (as domain controller) we have the following new options: +"allow nt4 crypto" (no by default), "reject md5 client" (no by default). +E.g. in order to allow Samba < 3.0.27 or NT4 members to work +you need "allow nt4 crypto = yes" + +winbindd does not list group memberships for display purposes +(e.g. getent group <domain\<group>) anymore by default. +The new default is "winbind expand groups = 0" now, +the reason for this is the same as for "winbind enum users = no" +and "winbind enum groups = no". Providing this information is not always +reliably possible, e.g. if there are trusted domains. + +Please consult the smb.conf manpage for more details on these new options. + +Winbindd use on the Samba AD DC +=============================== + +Winbindd is now used on the Samba AD DC by default, replacing the +partial rewrite used for winbind operations in Samba 4.0 and 4.1. + +This allows more code to be shared, more options to be honoured, and +paves the way for support for trusted domains in the AD DC. + +If required the old internal winbind can be activated by setting +'server services = +winbind -winbindd'. Upgrading users with a server +services parameter specified should ensure they change 'winbind' to +'winbindd' to obtain the new functionality. + +The 'samba' binary still manages the starting of this service, there +is no need to start the winbindd binary manually. + +Winbind now requires secured connections +======================================== + +To improve protection against rogue domain controllers we now require +that when we connect to an AD DC in our forest, that the connection be +signed using SMB Signing. Set 'client signing = off' in the smb.conf +to disable. + +Also and DCE/RPC pipes must be sealed, set 'require strong key = +false' and 'winbind sealed pipes = false' to disable. + +Finally, the default for 'client ldap sasl wrapping' has been set to +'sign', to ensure the integrity of LDAP connections. Set 'client ldap +sasl wrapping = plain' to disable. + +Larger IO sizes for SMB2/3 by default +===================================== + +The default values for "smb2 max read", "smb2 max write" and "smb2 max trans" +have been changed to 8388608 (8MiB) in order to match the default of +Windows 2012R2. + +SMB2 leases +=========== + +The SMB2 protocol allows clients to aggressively cache files +locally above and beyond the caching allowed by SMB1 and SMB2 oplocks. + +Called SMB2 leases, this can greatly reduce traffic on an SMB2 +connection. Samba 4.2 now implements SMB2 leases. + +It can be turned on by setting the parameter "smb2 leases = yes" +in the [global] section of your smb.conf. This parameter is set +to off by default until the SMB2 leasing code is declared fully stable. + +Improved DCERPC man in the middle detection +=========================================== + +The DCERPC header signing has been implemented +in addition to the dcerpc_sec_verification_trailer +protection. + +Overhauled "net idmap" command +============================== + +The command line interface of the "net idmap" command has been +made systematic, and subcommands for reading and writing the autorid idmap +database have been added. Note that the writing commands should be +used with great care. See the net(8) manual page for details. + +tdb improvements +================ + +The tdb library, our core mechanism to store Samba-specific data on disk and +share it between processes, has been improved to support process shared robust +mutexes on Linux. These mutexes are available on Linux and Solaris and +significantly reduce the overhead involved with tdb. To enable mutexes for +tdb, set + +dbwrap_tdb_mutexes:* = yes + +in the [global] section of your smb.conf. + +Tdb file space management has also been made more efficient. This +will lead to smaller and less fragmented databases. + +Messaging improvements +====================== + +Our internal messaging subsystem, used for example for things like oplock +break messages between smbds or setting a process debug level dynamically, has +been rewritten to use unix domain datagram messages. + +Clustering support +================== + +Samba's file server clustering component CTDB is now integrated in the +Samba tree. This avoids the confusion of compatibility of Samba and CTDB +versions as existed previously. + +To build the Samba file server with cluster support, use the configure +command line option --with-cluster-support. This will build clustered +file server against the in-tree CTDB and will also build CTDB. +Building clustered samba with previous versions of CTDB is no longer +supported. + +Samba Registry Editor +===================== + +The utitlity to browse the samba registry has been overhauled by our Google +Summer of Code student Chris Davis. Now samba-regedit has a +Midnight-Commander-like theme and UI experience. You can browse keys and edit +the diffent value types. For a data value type a hexeditor has been +implemented. + +Bad Password Lockout in the AD DC +================================= + +Samba's AD DC now implements bad password lockout (on a per-DC basis). + +That is, incorrect password attempts are tracked, and accounts locked +out if too many bad passwords are submitted. There is also a grace +period of 60 minutes on the previous password when used for NTLM +authentication (matching Windows 2003 SP1: https://support2.microsoft.com/kb/906305). + +The relevant settings can be seen using 'samba-tool domain +passwordsettings show' (the new settings being highlighted): + +Password informations for domain 'DC=samba,DC=example,DC=com' + +Password complexity: on +Store plaintext passwords: off +Password history length: 24 +Minimum password length: 7 +Minimum password age (days): 1 +Maximum password age (days): 42 +* Account lockout duration (mins): 30 * +* Account lockout threshold (attempts): 0 * +* Reset account lockout after (mins): 30 * + +These values can be set using 'samba-tool domain passwordsettings set'. + +Correct defaults in the smb.conf manpages +========================================= + +The default values for smb.conf parameters are now correctly specified +in the smb.conf manpage, even when they refer to build-time specified +paths. Provided Samba is built on a system with the right tools +(xsltproc in particular) required to generate our man pages, then +these will be built with the exact same embedded paths as used by the +configuration parser at runtime. Additionally, the default values +read from the smb.conf manpage are checked by our test suite to match +the values seen in testparm and used by the running binaries. + +Consistent behaviour between samba-tool testparm and testparm +============================================================= + +With the exception of the registry backend, which remains only +available in the file server, the behaviour of the smb.conf parser and +the tools 'samba-tool testparm' and 'testparm' is now consistent, +particularly with regard to default values. Except with regard to +registry shares, it is no longer needed to use one tool on the AD +DC, and another on the file server. + +VFS WORM module +=============== + +A VFS module for basic WORM (Write once read many) support has been +added. It allows an additional layer on top of a Samba share, that provides +a basic set of WORM functionality on the client side, to control the +writeability of files and folders. + +As the module is simply an additional layer, share access and permissions +work like expected - only WORM functionality is added on top. Removing the +module from the share configuration, removes this layer again. The +filesystem ACLs are not affected in any way from the module and treated +as usual. + +The module does not provide complete WORM functions, like some archiving +products do! It is not audit-proof, because the WORM function is only +available on the client side, when accessing a share through SMB! If +the same folder is shared by other services like NFS, the access only +depends on the underlying filesystem ACLs. Equally if you access the +content directly on the server. + +For additional information, see +https://wiki.samba.org/index.php/VFS/vfs_worm + +vfs_fruit, a VFS module for OS X clients +======================================== + +A new VFS module that provides enhanced compatibility with Apple SMB +clients and interoperability with a Netatalk 3 AFP fileserver. + +The module features enhanced performance with reliable named streams +support, interoperability with special characters commonly used by OS +X client (eg '*', '/'), integrated file locking and Mac metadata +access with Netatalk 3 and enhanced performance by implementing +Apple's SMB2 extension codenamed "AAPL". -- Samba Website Repository