The branch, master has been updated
       via  eea4ca9 Add Samba 4.6.0 to the list.
       via  67fa702 NEWS[4.6.0]: Samba 4.6.0 Available for Download
      from  03a2579 history/samba-4.5.5.html: Clarify that's a fix for 

- Log -----------------------------------------------------------------
commit eea4ca9f02373db880907960348a78e6727cb7cf
Author: Karolin Seeger <>
Date:   Tue Mar 7 10:22:12 2017 +0100

    Add Samba 4.6.0 to the list.
    Signed-off-by: Karolin Seeger <>

commit 67fa7028c124e4be5e6b41411ba066582eb9e78c
Author: Karolin Seeger <>
Date:   Tue Mar 7 10:16:49 2017 +0100

    NEWS[4.6.0]: Samba 4.6.0 Available for Download
    Signed-off-by: Karolin Seeger <>


Summary of changes:
 history/header_history.html                     |   1 +
 history/samba-4.6.0.html                        | 482 ++++++++++++++++++++++++
 posted_news/20170307-092037.4.6.0.body.html     |  12 +
 posted_news/20170307-092037.4.6.0.headline.html |   3 +
 4 files changed, 498 insertions(+)
 create mode 100644 history/samba-4.6.0.html
 create mode 100644 posted_news/20170307-092037.4.6.0.body.html
 create mode 100644 posted_news/20170307-092037.4.6.0.headline.html

Changeset truncated at 500 lines:

diff --git a/history/header_history.html b/history/header_history.html
index 45dd4b5..9d60d53 100755
--- a/history/header_history.html
+++ b/history/header_history.html
@@ -9,6 +9,7 @@
                <li><a href="/samba/history/">Release Notes</a>
                <li class="navSub">
+                       <li><a href="samba-4.6.0.html">samba-4.6.0</a></li>
                        <li><a href="samba-4.5.5.html">samba-4.5.5</a></li>
                        <li><a href="samba-4.5.4.html">samba-4.5.4</a></li>
                        <li><a href="samba-4.5.3.html">samba-4.5.3</a></li>
diff --git a/history/samba-4.6.0.html b/history/samba-4.6.0.html
new file mode 100644
index 0000000..a9e0617
--- /dev/null
+++ b/history/samba-4.6.0.html
@@ -0,0 +1,482 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "";>
+<html xmlns="";>
+<title>Samba 4.6.0 - Release Notes</title>
+<H2>Samba 4.6.0 Available for Download</H2>
+<a href="";>Samba 
4.6.0 (gzipped)</a><br>
+Release Announcements
+This is the first stable release of Samba 4.6.
+Please read the release notes carefully before upgrading.
+ID Mapping
+We discovered that the majority of users have an invalid or incorrect
+ID mapping configuration. We implemented checks in the &apos;testparm&apos; 
tool to
+validate the ID mapping configuration. You should run it and check if it prints
+any warnings or errors after upgrading! If it does you should fix them. See the
+&apos;IDENTITY MAPPING CONSIDERATIONS&apos; section in the smb.conf manpage.
+There are some ID mapping backends which are not allowed to be used for the
+default backend. Winbind will no longer start if an invalid backend is
+configured as the default backend.
+To avoid problems in future we advise all users to run &apos;testparm&apos; 
+changing the smb.conf file!
+vfs_fruit option &quot;fruit:resource&quot; spelling correction
+Due to a spelling error in the vfs_fruit option parsing for the 
+option, users who have set this option in their smb.conf were still using the
+default setting &quot;fruit:resource = file&quot; as the parser was looking 
for the string
+&quot;fruit:ressource&quot; (two &quot;s&quot;).
+After upgrading to this Samba version 4.6, you MUST either remove the option
+from your smb.conf or set it to the default &quot;fruit:resource = file&quot;, 
+your macOS clients will not be able to access the resource fork data.
+This version Samba 4.6 accepts both the correct and incorrect spelling, but the
+next Samba version 4.7 will not accept the wrong spelling.
+Users who were using the wrong spelling &quot;ressource&quot; with two 
&quot;s&quot; can keep the
+setting, but are advised to switch to the correct spelling.
+vfs_fruit Netatalk metadata xattr name on *BSD
+Users on *BSD must rename the metadata xattr used by vfs_fruit when
+using the default setting &quot;fruit:metadata = netatalk&quot;.
+Due to a glitch in the Samba xattr API compatibility layer for FreeBSD and a
+mistake in vfs_fruit, vfs_fruit ended up using the wrong xattr name when
+configured with &quot;fruit:metadata = netatalk&quot; (default). Instead of 
the correct
+  org.netatalk.Metadata
+it used
+  netatalk.Metadata
+Starting with Samba 4.6 vfs_fruit will use the correct 
+which means existing installations must rename this xattrs. For this purpose
+Samba now includes a new tool `mvxattr`. See below for further details.
+Kerberos client encryption types
+Some parts of Samba (most notably winbindd) perform Kerberos client
+operations based on a Samba-generated krb5.conf file. A new
+parameter, &quot;kerberos encryption types&quot; allows configuring the
+encryption types set in this file, thereby allowing the user to
+enforce strong or legacy encryption in Kerberos exchanges.
+The default value of &quot;all&quot; is compatible with previous behavior, 
+all encryption algorithms to be negotiated. Setting the parameter to 
+only allows AES-based algorithms to be negotiated. Setting the parameter to
+&quot;legacy&quot; allows only RC4-HMAC-MD5 - the legacy algorithm for Active 
+This can solves some corner cases of mixed environments with Server 2003R2 and
+newer DCs.
+Support for uploading printer drivers from newer Windows clients (Windows 10)
+has been added until our implementation of [MS-PAR] protocol is ready.
+Several issues with uploading different printing drivers have been addressed.
+The OS Version for the printing server has been increased to announce
+Windows Server 2003 R2 SP2. If a driver needs a newer version then you should
+check the smb.conf manpage for details.
+New option for owner inheritance
+The &quot;inherit owner&quot; smb.conf parameter instructs smbd to set the
+owner of files to be the same as the parent directory&apos;s owner.
+Up until now, this parameter could be set to &quot;yes&quot; or &quot;no&quot;.
+A new option, &quot;unix only&quot;, enables this feature only for the UNIX 
+of the file, not affecting the SID owner in the Windows NT ACL of the
+file. This can be used to emulate something very similar to folder quotas.
+Multi-process Netlogon support
+The Netlogon server in the Samba AD DC can now run as multiple
+processes.  The Netlogon server is a part of the AD DC that handles
+NTLM authentication on behalf of domain members, including file
+servers, NTLM-authenticated web servers and 802.1x gateways.  The
+previous restriction to running as a single process has been removed,
+and it will now run in the same process model as the rest of the
+&apos;samba&apos; binary.
+As part of this change, the NETLOGON service will now run on a distinct
+TCP port, rather than being shared with all other RPC services (LSA,
+New options for controlling TCP ports used for RPC services
+The new &apos;rpc server port&apos; option controls the default port used for
+RPC services other than Netlogon.  The Netlogon server honours instead
+the &apos;rpc server port:netlogon&apos; option.  The default value for both
+these options is the first available port including or after 1024.
+AD LDAP and replication performance improvements
+Samba&apos;s LDB (the database holding the AD directory tree, as seen via
+LDAP) and our DRSUAPI replication code continues to improve,
+particularly in respect to the handling of large numbers of objects or
+linked attributes.
+ * We now respect an &apos;uptodateness vector&apos; which will dramatically
+   reduce the over-replication of links from new DCs.
+ * We have also made the parsing of on-disk linked attributes much
+   more efficient.
+ * We rely on ldb 1.1.28.  This ldb version has improved memory
+   handling for ldb search results, improving poorly indexed and
+   unindexed search result processing speed by around 20%.
+DNS improvements
+The samba-tool dns subcommand is now much more robust and can delete
+records in a number of situations where it was not possible to do so
+in the past.
+On the server side, DNS names are now more strictly validated.
+CTDB changes
+* &quot;ctdb event&quot; is a new top-level command for interacting with event 
+  &quot;ctdb event status&quot; replaces &quot;ctdb scriptstatus&quot; - the 
latter is
+  maintained for backward compatibility but the output format has been
+  cleaned up
+  &quot;ctdb event run&quot; replaces &quot;ctdb eventscript&quot;
+  &quot;ctdb event script enable&quot; replaces &quot;ctdb enablescript&quot;
+  &quot;ctdb event script disable&quot; replaces &quot;ctdb disablescript&quot;
+  The new command &quot;ctdb event script list&quot; lists event scripts.
+* CTDB&apos;s back-end for running event scripts has been replaced by a
+  separate, long-running daemon ctdbd_eventd.
+* Running ctdb interactively will log to stderr
+* CTDB logs now include process id for each process
+* CTDB tags log messages differently.  Changes include:
+  ctdb-recoverd: Messages from CTDB&apos;s recovery daemon
+  ctdb-recovery: Messages from CTDB database recovery
+  ctdb-eventd: Messages from CTDB&apos;s event daemon
+  ctdb-takeover: Messages from CTDB&apos;s public IP takeover subsystem
+* The mapping between symbolic and numeric debug levels has changed
+  Configurations containing numeric debug levels should be updated.
+  Symbolic debug levels are recommended.  See the DEBUG LEVEL section
+  of ctdb(7) for details.
+* Tunable IPAllocAlgorithm replaces LCP2PublicIPs, DeterministicIPs
+  See ctdb-tunables(7) for details.
+* CTDB&apos;s configuration tunables should be consistently set across a 
+  This has always been the cases for most tunables but this fact is
+  now documented.
+* CTDB ships with recovery lock helper call-outs for etcd and Ceph RADOS
+  To build/install these, use the &quot;--enable-etcd-reclock&quot; and
+  &quot;--enable-ceph-reclock&quot; configure options.
+winbind changes
+winbind contains code that tries to emulate the group membership calculation
+that domain controllers do when a user logs in. This group membership 
+is a very complex process, in particular for domain trust relationship
+situations. Also, in many scenarios it is impossible for winbind to
+correctly do this calculation due to access restrictions in the
+domains: winbind using its machine account simply does not have the
+rights to ask for an arbitrary user&apos;s group memberships.
+When a user logs in to a Samba server, the domain controller correctly
+calculates the user&apos;s group memberships authoritatively and makes the
+information available to the Samba server. This is the only reliable
+way Samba can get informed about the groups a user is member of.
+Because of its flakiness, the fallback group membership code is unwished,
+and our code pathes try hard to only use of the group memberships
+calculated by the domain controller.
+However, a lot of admins rely on the fallback behavior in order to support
+access for nfs access, ssh public key authentication and passwordless sudo.
+That&apos;s the reason for changing this back between 4.6.0rc4 and 4.6.0
+(See BUG 12612).
+The winbind change to simplify the calculation of supplementary groups to make
+it more reliable and predictable has been deferred to 4.7 or later.
+This means that &apos;id &lt;username&gt;&apos; without the user having logged 
+previously works similar to 4.5.
+winbind primary group and nss info
+With 4.6, it will be possible to optionally use the primary group as
+set in the &quot;Unix Attributes&quot; tab for the local unix token of a domain
+user.  Before 4.6, the Windows primary group was always chosen as
+primary group for the local unix token.
+To activate the unix primary group, set
+idmap config &lt;DOMAIN&gt; : unix_primary_group = yes
+Similarly, set
+idmap config &lt;DOMAIN&gt; : unix_nss_info = yes
+to retrieve the home directory and login shell from the &quot;Unix
+Attributes&quot; of the user. This supersedes the &quot;winbind nss info&quot;
+parameter with a per-domain configuration option.
+mvxattr is a simple utility to recursively rename extended attributes of all
+files and directories in a directory tree.
+  Usage: mvxattr -s STRING -d STRING PATH [PATH ...]
+    -s, --from=STRING         xattr source name
+    -d, --to=STRING           xattr destination name
+    -l, --follow-symlinks     follow symlinks, the default is to ignore them
+    -p, --print               print files where the xattr got renamed
+    -v, --verbose             print files as they are checked
+    -f, --force               force overwriting of destination xattr
+  Help options:
+    -?, --help                Show this help message
+    --usage                   Display brief usage message
+The idmap_hash module is marked as deprecated with this release and will be
+removed in a future version. See the manpage of the module for details.
+smb.conf changes
+  Parameter Name                Description             Default
+  --------------                -----------             -------
+  kerberos encryption types     New                     all
+  inherit owner                 New option
+  fruit:resource                Spelling correction
+  lsa over netlogon             New (deprecated)        no
+  rpc server port               New                     0
+o  Jeremy Allison &lt;;
+   * BUG 12592: Fix several issues found by covscan.
+   * BUG 12608: s3: smbd: Restart reading the incoming SMB2 fd when the send
+     queue is drained.
+o  Ralph Boehme &lt;;
+   * BUG 12427: vfs_fruit doesn&apos;t work with fruit:metadata=stream.
+   * BUG 12526: vfs_fruit: Only veto AppleDouble files if 
&quot;fruit:resource&quot; is
+     set to &quot;file&quot;.
+   * BUG 12604: vfs_fruit: Enabling AAPL extensions must be a global switch.
+o  Volker Lendecke &lt;;
+   * BUG 12612: Re-enable token groups fallback.
+o  Stefan Metzmacher &lt;;
+   * BUG 9048: Samba4 ldap error codes.
+   * BUG 12557: gensec:spnego: Add debug message for the failed principal.
+   * BUG 12605: s3:winbindd: Fix endless forest trust scan.
+   * BUG 12612: winbindd: Find the domain based on the sid within
+     wb_lookupusergroups_send().
+o  Andreas Schneider &lt;;
+   * BUG 12557: s3:librpc: Handle gss_min in gse_get_client_auth_token()
+     correctly.
+   * BUG 12582: idmap_hash: Add a deprecation message, improve the idmap_hash
+     manpage.
+   * BUG 12592: Fix several issues found by covscan.
+o  Martin Schwenke &lt;;
+   * BUG 12592: ctdb-logging: CID 1396883 Dereference null return value
+o  Jeremy Allison &lt;;
+   * BUG 12545: s3: rpc_server/mdssvc: Add attribute 
+   * BUG 12572: s3: smbd: Don&apos;t loop infinitely on bad-symlink resolution.
+o  Ralph Boehme &lt;;
+   * BUG 12490: vfs_fruit: Correct Netatalk metadata xattr on FreeBSD.
+   * BUG 12536: s3/smbd: Check for invalid access_mask
+     smbd_calculate_access_mask().
+   * BUG 12591: vfs_streams_xattr: use fsp, not base_fsp.
+o  Amitay Isaacs &lt;;
+   * BUG 12580: ctdb-common: Fix use-after-free error in comm_fd_handler().
+   * BUG 12595: build: Fix generation of CTDB manpages while creating tarball.
+o  Bryan Mason &lt;;
+   * BUG 12575: Modify smbspool_krb5_wrapper to just fall through to smbspool 
+     AUTH_INFO_REQUIRED is not set or is not &quot;negotiate&quot;.
+o  Stefan Metzmacher &lt;;
+   * BUG 11830: s3:winbindd: Try a NETLOGON connection with noauth over 
+     against trusted domains.
+   * BUG 12262: &apos;net ads testjoin&apos; and smb access fails after 
winbindd changed the
+     trust password.
+   * BUG 12585: librpc/rpc: fix regression in
+   * BUG 12586: netlogon_creds_cli_LogonSamLogon doesn&apos;t work without
+     netr_LogonSamLogonEx.
+   * BUG 12587: winbindd child segfaults on connect to an NT4 domain.
+   * BUG 12588: s3:winbindd: Make sure cm_prepare_connection() only returns OK
+     with a valid tree connect.
+   * BUG 12598: winbindd (as member) requires kerberos against trusted ad 
+     while it shouldn&apos;t.
+   * BUG 12601: Backport pytalloc_GenericObject_reference() related changes to
+     4.6.
+o  Garming Sam &lt;;
+   * BUG 12600: dbchecker: Stop ignoring linked cases where both objects are
+     alive.
+o  Andreas Schneider &lt;;
+   * BUG 12571: s3-vfs: Only walk the directory once in open_and_sort_dir().
+o  Martin Schwenke &lt;;
+   * BUG 12589: CTDB statd-callout does not cause grace period when
+     CTDB_NFS_CALLOUT=&quot;&quot;.
+   * BUG 12595: ctdb-build: Fix RPM build.
+o  Jeremy Allison &lt;;
+   * BUG 12499: s3: vfs: dirsort doesn&apos;t handle opendir of &quot;.&quot; 
+   * BUG 12546: s3: VFS: vfs_streams_xattr.c: Make streams_xattr_open() store
+     the same path as streams_xattr_recheck().
+   * BUG 12531: Make vfs_shadow_copy2 cope with server changing directories.
+o  Andrew Bartlett &lt;;
+   * BUG 12543: samba-tool: Correct handling of default value for use_ntvfs and
+     use_xattrs.
+   * BUG 12573: Samba &lt; 4.7 does not know about compatibleFeatures and
+     requiredFeatures.
+   * BUG 12577: &apos;samba-tool dbcheck&apos; gives errors on one-way links 
after a
+     rename.
+o  Ralph Boehme &lt;;
+   * BUG 12184: s3/rpc_server: Shared rpc modules loading.
+   * BUG 12520: Ensure global &quot;smb encrypt = off&quot; is effective.
+   * BUG 12524: s3/rpc_server: Move rpc_modules.c to its own subsystem.
+   * BUG 12541: vfs_fruit: checks wrong AAPL config state and so always uses
+     readdirattr.
+o  Volker Lendecke &lt;;
+   * BUG 12551: smbd: Fix &quot;map acl inherit&quot; = yes.
+o  Stefan Metzmacher &lt;;
+   * BUG 12398: Replication with DRSUAPI_DRS_CRITICAL_ONLY and
+   * BUG 12540: s3:smbd: allow &quot;server min protocol = SMB3_00&quot; to go 
via &quot;SMB
+     2.???&quot; negprot.
+o  John Mulligan &lt;;
+   * BUG 12542: docs: Improve description of &quot;unix_primary_group&quot; 
parameter in
+     idmap_ad manpage.
+o  Andreas Schneider &lt;;
+   * BUG 12552: waf: Do not install the unit test binary for krb5samba.
+o  Amitay Isaacs &lt;;
+   * BUG 12547: ctdb-build: Install CTDB tests correctly from toplevel.
+   * BUG 12549: ctdb-common: ioctl(.. FIONREAD ..) returns an int value.
+o  Garming Sam &lt;;
+   * BUG 12577: &apos;samba-tool dbcheck&apos; gives errors on one-way links 
after a
+     rename.
+o  Uri Simchoni &lt;;
+   * BUG 12529: waf: Backport finding of pkg-config.
+o  Amitay Isaacs &lt;;
+   * BUG 12469: CTDB lock helper getting stuck trying to lock a record.
+   * BUG 12500: ctdb-common: Fix a bug in packet reading code for generic 
+     I/O.
+   * BUG 12510: sock_daemon_test 4 crashes with SEGV.
+   * BUG 12513: ctdb-daemon: Remove stale eventd socket.
+o  Bj&ouml;rn Jacke &lt;;
+   * BUG 12535: vfs_default: Unlock the right file in copy chunk.
+o  Volker Lendecke &lt;;
+   * BUG 12509: messaging: Fix dead but not cleaned-up-yet destination sockets.
+   * BUG 12538: Backport winbind fixes.
+o  Stefan Metzmacher &lt;;
+   * BUG 12501: s3:winbindd: talloc_steal the extra_data in
+     winbindd_list_users_recv().
+o  Martin Schwenke &lt;;
+   * BUG 12511: ctdb-takeover: Handle case where there are no RELEASE_IPs to
+     send.
+   * BUG 12512: ctdb-scripts: Fix remaining uses of &quot;ctdb 
+   * BUG 12516: ctdb-scripts: /etc/iproute2/rt_tables gets populated with 
+     &apos;default&apos; entries.

Samba Website Repository

Reply via email to