Difference between revisions of "Samba 4.11 Features added/changed"

(Samba 4.11.0rc2)
Line 1: Line 1:
==Samba 4.11.0rc1==
+
==Samba 4.11.0rc2==
:Release Notes for Samba 4.11.0rc1
+
:Release Notes for Samba 4.11.0rc2
:July 9, 2019
+
:August 21, 2019
  
 
<onlyinclude>
 
<onlyinclude>
 
===Release Announcements===
 
===Release Announcements===
  
This is the first preview release of Samba 4.11.  This is *not* intended for production environments and is designed for testing purposes only.  Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/.
+
This is the second preview release of Samba 4.11.  This is *not* intended for production environments and is designed for testing purposes only.  Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/.
  
 
Samba 4.11 will be the next version of the Samba suite.
 
Samba 4.11 will be the next version of the Samba suite.
Line 12: Line 12:
  
 
===UPGRADING===
 
===UPGRADING===
 +
 +
====AD Database compatibility====
 +
 +
Samba 4.11 has changed how the AD database is stored on disk. AD users should not really be affected by this change when upgrading to 4.11. However, AD users should be extremely careful if they need to downgrade from Samba 4.11 to an older release.
 +
 +
Samba 4.11 maintains database compatibility with older Samba releases. The database will automatically get rewritten in the new 4.11 format when you first start the upgraded samba executable.
 +
 +
However, when downgrading from 4.11 you will need to manually downgrade the AD database yourself. Note that you will need to do this step before you install the downgraded Samba packages. For more details, see:
 +
:[[Downgrading_an_Active_Directory_DC]]
 +
 +
When either upgrading or downgrading, users should also avoid making any database modifications between installing the new Samba packages and starting the samba executable.
 +
 +
Note that when moving between major Samba releases in general, we recommend that the AD DC is rejoined to the domain. Using this approach avoids the need to explicitly downgrade the database manually. For more details, see:
 +
:[[Upgrading_a_Samba_AD_DC]]
  
 
====SMB1 is disabled by default====
 
====SMB1 is disabled by default====
Line 23: Line 37:
 
It's still possible to allow SMB1 dialects, e.g. NT1, LANMAN2 and LANMAN1 for client and server, as well as CORE and COREPLUS on the client.
 
It's still possible to allow SMB1 dialects, e.g. NT1, LANMAN2 and LANMAN1 for client and server, as well as CORE and COREPLUS on the client.
  
:Note: that most commandline tools e.g. smbclient, smbcacls and others also support the --option argument to overwrite smb.conf options, e.g. --option='client min protocol=NT1' might be useful.
+
:Note: that most commandline tools e.g. smbclient, smbcacls and others also support the '--option' argument to overwrite smb.conf options, e.g. --option='client min protocol=NT1' might be useful.
  
 
As Microsoft no longer installs SMB1 support in recent releases or uninstalls it after 30 days without usage, the Samba Team tries to get remove the SMB1 usage as much as possible.
 
As Microsoft no longer installs SMB1 support in recent releases or uninstalls it after 30 days without usage, the Samba Team tries to get remove the SMB1 usage as much as possible.
Line 34: Line 48:
 
====Default samba process model====
 
====Default samba process model====
  
The default for the --model argument passed to the samba executable has changed from 'standard' to 'prefork'. This means a difference in the number of samba child processes that are created to handle client connections. The previous default would create a separate process for every LDAP or NETLOGON client connection. For a network with a lot of persistent client connections, this could result in significant memory overhead.  Now, with the new default of 'prefork', the LDAP, NETLOGON, and KDC services will create a fixed number of worker processes at startup and share the client connections amongst these workers. The number of worker processes can be configured by the 'prefork children' setting in the smb.conf (the default is 4).
+
The default for the '--model' argument passed to the samba executable has changed from 'standard' to 'prefork'. This means a difference in the number of samba child processes that are created to handle client connections. The previous default would create a separate process for every LDAP or NETLOGON client connection. For a network with a lot of persistent client connections, this could result in significant memory overhead.  Now, with the new default of 'prefork', the LDAP, NETLOGON, and KDC services will create a fixed number of worker processes at startup and share the client connections amongst these workers. The number of worker processes can be configured by the 'prefork children' setting in the smb.conf (the default is 4).
  
 
====Authentication Logging.====
 
====Authentication Logging.====
Line 48: Line 62:
 
   <pid>    is the process id of the requesting process.
 
   <pid>    is the process id of the requesting process.
  
The version of the JSON Authentication messages has been changed to 1.2 from 1.1
+
The version of the JSON Authentication messages has been changed to 1.1 from 1.2
  
 
====LDAP referrals====
 
====LDAP referrals====
  
The scheme of returned LDAP referrals now reflects the scheme of the original request, i.e. referrals received via ldap are prefixed with "ldap://" and those over ldaps are prefixed with "ldaps://"
+
The scheme of returned LDAP referrals now reflects the scheme of the original request, i.e. referrals received via ldap are prefixed with "ldap://" and those over ldaps are prefixed with "ldaps://".
  
Previously all referrals were prefixed with "ldap://"
+
Previously all referrals were prefixed with "ldap://".
  
 
====Bind9 logging====
 
====Bind9 logging====
  
It is now possible to log the duration of DNS operations performed by Bind9 This should aid future diagnosis of performance issues, and could be used to monitor DNS performance. The logging is enabled by setting log level to "dns:10" in smb.conf
+
It is now possible to log the duration of DNS operations performed by Bind9. This should aid future diagnosis of performance issues and could be used to monitor DNS performance. The logging is enabled by setting log level to "dns:10" in smb.conf.
  
 
The logs are currently Human readable text only, i.e. no JSON formatted output.
 
The logs are currently Human readable text only, i.e. no JSON formatted output.
Line 74: Line 88:
  
 
Samba's replication code has also been improved to handle replication with the 2012 schema (the core of this replication fix has also been backported to 4.9.11 and will be in a 4.10.x release).
 
Samba's replication code has also been improved to handle replication with the 2012 schema (the core of this replication fix has also been backported to 4.9.11 and will be in a 4.10.x release).
 +
 +
For more about how the AD schema relates to overall Windows compatibility, please read:
 +
:[[Windows_2012_Server_compatibility]]
  
 
====GnuTLS 3.2 required====
 
====GnuTLS 3.2 required====
Line 151: Line 168:
 
* Script configuration variable CTDB_MONITOR_SWAP_USAGE has been removed
 
* Script configuration variable CTDB_MONITOR_SWAP_USAGE has been removed
 
:05.system.script now monitors total memory (i.e. physical memory + swap) utilisation using the existing CTDB_MONITOR_MEMORY_USAGE script configuration variable.
 
:05.system.script now monitors total memory (i.e. physical memory + swap) utilisation using the existing CTDB_MONITOR_MEMORY_USAGE script configuration variable.
 +
 +
====CephFS Snapshot Integration====
 +
---------------------------
 +
 +
CephFS snapshots can now be exposed as previous file versions using the new ceph_snapshots VFS module. See the vfs_ceph_snapshots(8) man page for details.
  
 
===REMOVED FEATURES===
 
===REMOVED FEATURES===
Line 186: Line 208:
 
   web port                          Removed
 
   web port                          Removed
 
   fruit:zero_file_id                Changed default            False
 
   fruit:zero_file_id                Changed default            False
 +
  debug encryption                  New: dump encryption keys  False
  
  

Revision as of 20:20, 21 August 2019

Samba 4.11.0rc2

Release Notes for Samba 4.11.0rc2
August 21, 2019


Release Announcements

This is the second preview release of Samba 4.11. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/.

Samba 4.11 will be the next version of the Samba suite.


UPGRADING

AD Database compatibility

Samba 4.11 has changed how the AD database is stored on disk. AD users should not really be affected by this change when upgrading to 4.11. However, AD users should be extremely careful if they need to downgrade from Samba 4.11 to an older release.

Samba 4.11 maintains database compatibility with older Samba releases. The database will automatically get rewritten in the new 4.11 format when you first start the upgraded samba executable.

However, when downgrading from 4.11 you will need to manually downgrade the AD database yourself. Note that you will need to do this step before you install the downgraded Samba packages. For more details, see:

Downgrading_an_Active_Directory_DC

When either upgrading or downgrading, users should also avoid making any database modifications between installing the new Samba packages and starting the samba executable.

Note that when moving between major Samba releases in general, we recommend that the AD DC is rejoined to the domain. Using this approach avoids the need to explicitly downgrade the database manually. For more details, see:

Upgrading_a_Samba_AD_DC

SMB1 is disabled by default

The defaults of 'client min protocol' and 'server min protocol' have been changed to SMB2_02.

This means clients without support for SMB2 or SMB3 are no longer able to connect to smbd (by default).

It also means client tools like smbclient and other, as well as applications making use of libsmbclient are no longer able to connect to servers without SMB2 or SMB3 support (by default).

It's still possible to allow SMB1 dialects, e.g. NT1, LANMAN2 and LANMAN1 for client and server, as well as CORE and COREPLUS on the client.

Note: that most commandline tools e.g. smbclient, smbcacls and others also support the '--option' argument to overwrite smb.conf options, e.g. --option='client min protocol=NT1' might be useful.

As Microsoft no longer installs SMB1 support in recent releases or uninstalls it after 30 days without usage, the Samba Team tries to get remove the SMB1 usage as much as possible.

SMB1 is officially deprecated and might be removed step by step in the following years. If you have a strong requirement for SMB1 (except for supporting old Linux Kernels), please file a bug at https://bugzilla.samba.org and let us know about the details.

NEW FEATURES/CHANGES

Default samba process model

The default for the '--model' argument passed to the samba executable has changed from 'standard' to 'prefork'. This means a difference in the number of samba child processes that are created to handle client connections. The previous default would create a separate process for every LDAP or NETLOGON client connection. For a network with a lot of persistent client connections, this could result in significant memory overhead. Now, with the new default of 'prefork', the LDAP, NETLOGON, and KDC services will create a fixed number of worker processes at startup and share the client connections amongst these workers. The number of worker processes can be configured by the 'prefork children' setting in the smb.conf (the default is 4).

Authentication Logging.

Winbind now logs PAM_AUTH and NTLM_AUTH events, a new attribute "logonId" has been added to the Authentication JSON log messages. This contains a random logon id that is generated for each PAM_AUTH and NTLM_AUTH request and is passed to SamLogon, linking the windbind and SamLogon requests.

The serviceDescription of the messages is set to "winbind", the authDescriptionis set to one of:

  "PASSDB, <command>, <pid>"
  "PAM_AUTH, <command>, <pid>"
  "NTLM_AUTH, <command>, <pid>"

where:

  <command> is the name of the command makinmg the winbind request i.e. wbinfo
  <pid>     is the process id of the requesting process.

The version of the JSON Authentication messages has been changed to 1.1 from 1.2

LDAP referrals

The scheme of returned LDAP referrals now reflects the scheme of the original request, i.e. referrals received via ldap are prefixed with "ldap://" and those over ldaps are prefixed with "ldaps://".

Previously all referrals were prefixed with "ldap://".

Bind9 logging

It is now possible to log the duration of DNS operations performed by Bind9. This should aid future diagnosis of performance issues and could be used to monitor DNS performance. The logging is enabled by setting log level to "dns:10" in smb.conf.

The logs are currently Human readable text only, i.e. no JSON formatted output.

Log lines are of the form:

   <function>: DNS timing: result: [<result>] duration: (<duration>)
   zone: [<zone>] name: [<name>] data: []
   durations are in microseconds.

Default schema updated to 2012_R2

Default AD schema changed from 2008_R2 to 2012_R2. 2012_R2 functional level is not yet available. Older schemas can be used by provisioning with the '--base-schema' argument. Existing installations can be updated with the samba-tool command "domain schemaupgrade".

Samba's replication code has also been improved to handle replication with the 2012 schema (the core of this replication fix has also been backported to 4.9.11 and will be in a 4.10.x release).

For more about how the AD schema relates to overall Windows compatibility, please read:

Windows_2012_Server_compatibility

GnuTLS 3.2 required

Samba is making efforts to remove in-tree cryptographic functionality, and to instead rely on externally maintained libraries. To this end, Samba has chosen GnuTLS as our standard cryptographic provider.

Samba now requires GnuTLS 3.2 to be installed (including development headers at build time) for all configurations, not just the Samba AD DC.

NOTE WELL: The use of GnuTLS means that Samba will honour the system-wide 'FIPS mode' (a reference to the US FIPS-140 cryptographic standard) and so will not operate in many still common situations if this system-wide parameter is in effect, as many of our protocols rely on outdated cryptography.

A future Samba version will mitigate this to some extent where good cryptography effectively wraps bad cryptography, but for now that above applies.

samba-tool improvements

A new "samba-tool contact" command has been added to allow the command-line manipulation of contacts, as used for address book lookups in LDAP.

The "samba-tool [user|group|computer|group|contact] edit" command has been improved to operate more pleasantly on international character sets.

100,000 USER and LARGER Samba AD DOMAINS

Extensive efforts have been made to optimise Samba for use in organisations (for example) targeting 100,000 users, plus 120,000 computer objects, as well as large number of group memberships.

Many of the specific efforts are detailed below, but the net results is to remove barriers to significantly larger Samba deployments compared to previous releases.

Reindex performance improvements

The performance of samba-tool dbcheck --reindex has been improved, especially for large domains.

join performance improvements

The performance of samba-tool domain join has been improved, especially for large domains.

LDAP Server memory improvements

The LDAP server has improved memory efficiency, ensuring that large LDAP responses (for example a search for all objects) is not copied multiple times into memory.

Setting lmdb map size

It is now possible to set the lmdb map size (The maximum permitted size for the database). "samba-tool" now accepts the "--backend-store-size" i.e. --backend-store-size=4Gb. If not specified it defaults to 8Gb.

This option is avaiable for the following sub commands:

  • domain provision
  • domain join
  • domain dcpromo
  • drs clone-dc-database

LDB "batch_mode"

To improve performance during batch operations i.e. joins, ldb now accepts a "batch_mode" option. However to prevent any index or database inconsistencies if an operation fails, the entire transaction will be aborted at commit.

New LDB pack format

On first use (startup of 'samba' or the first transaction write) Samba's sam.ldb will be updated to a new more efficient pack format. This will take a few moments.

New LDB <= and >= index mode to improve replication performance

As well as a new pack format, Samba's sam.ldb uses a new index format allowing Samba to efficiently select objects changed since the last replication cycle. This in turn improves performance during replication of large domains.

LDB_Greater_than_and_Less_than_indexing

Improvements to ldb search performance

Search performance on large LDB databases has been improved by reducing memory allocations made on each object.

Improvements to subtree rename performance

Improvements have been made to Samba's handling of subtree renames, for example of containers and organisational units, however large renames are still not recommended.

CTDB changes

  • nfs-linux-kernel-callout now defaults to using systemd service names
The Red Hat service names continue to be the default.
Other distributions should patch this file when packaging it.
  • The onnode -o option has been removed
  • ctdbd logs when it is using more than 90% of a CPU thread
ctdbd is single threaded, so can become saturated if it uses the full capacity of a CPU thread. To help detect this situation, ctdbd now logs messages when CPU utilisation exceeds 90%. Each change in CPU utilisation over 90% is logged. A message is also logged when CPU utilisation drops below the 90% threshold.
  • Script configuration variable CTDB_MONITOR_SWAP_USAGE has been removed
05.system.script now monitors total memory (i.e. physical memory + swap) utilisation using the existing CTDB_MONITOR_MEMORY_USAGE script configuration variable.

CephFS Snapshot Integration


CephFS snapshots can now be exposed as previous file versions using the new ceph_snapshots VFS module. See the vfs_ceph_snapshots(8) man page for details.

REMOVED FEATURES

Web server

As a leftover from work related to the Samba Web Administration Tool (SWAT), Samba still supported a Python WSGI web server (which could still be turned on from the 'server services' smb.conf parameter). This service was unused and has now been removed from Samba.

samba-tool join subdomain

The subdomain role has been removed from the join command. This option did not work and has no tests.

Python2 support

Samba 4.11 will not have any runtime support for Python 2.

If you are building Samba using the '--disable-python' option (i.e. you're excluding all the run-time Python support), then this will continue to work on a system that supports either python2 or python3.

To build Samba with python2 you *must* set the 'PYTHON' environment variable for both the 'configure' and 'make' steps, i.e.

  'PYTHON=python2 ./configure'
  'PYTHON=python2 make'

This will override the python3 default.

Except for this specific build-time use of python2, Samba now requires Python 3.4 as a minimum.


smb.conf changes

 Parameter Name                     Description                Default
 --------------                     -----------                -------
 allocation roundup size            Default changed/Deprecated 0
 client min protocol                Changed default            SMB2_02
 server min protocol                Changed default            SMB2_02
 mangled names                      Changed default            illegal
 web port                           Removed
 fruit:zero_file_id                 Changed default            False
 debug encryption                   New: dump encryption keys  False


KNOWN ISSUES

Release_Planning_for_Samba_4.11#Release_blocking_bugs Release blocking bugs
https://download.samba.org/pub/samba/rc/samba-4.11.0rc1.WHATSNEW.txt