NEW FEATURES/CHANGES

====================

SMB3 Directory Leases
---------------------

Starting with Samba 4.22 SMB3 Directory Leases are supported. The new global option "smb3 directory leases" controls whether the feature is enabled or not. By default, SMB3 Directory Leases are enabled on non-clustered Samba and disabled on clustered Samba, based on the "clustering" option. See man smb.conf for more details.

SMB3 Directory Leases allow clients to cache directory listings and, depending on the workload, result in a decent reduction in SMB requests from clients.

Netlogon Ping over LDAP and LDAPS
---------------------------------

Samba must query domain controller information via simple queries on the AD rootdse's netlogon attribute. Typically this is done via connectionless LDAP, using UDP on port 389. The same information is also available via classic LDAP rootdse queries over TCP. Samba can now be configured to use TCP via the new "client netlogon ping protocol" parameter to enable running in environments where firewalls completely block port 389 or UDP traffic to domain controllers.

Experimental Himmelblaud Authentication in Samba
------------------------------------------------

Samba now includes experimental support for Azure Entra ID authentication via `himmelblaud`, located in the `rust/` directory. This implementation provides basic authentication and is configured through `smb.conf`, utilizing options such as `realm`, `winbindd_socket_directory`, and `template_homedir`. New global parameters include `himmelblaud_sfa_fallback`, `himmelblaud_hello_enabled`, and `himmelblaud_hsm_pin_path`.

To enable, configure Samba with `--enable-rust --with-himmelblau`.

AD DC schema upgrade and provision performance improvements
-----------------------------------------------------------

By increasing the LDB index cache size for certain offline operations that are likely to require large transactions, these are now several times faster.

REMOVED FEATURES
================

The "nmbd proxy logon" feature was removed. This was used before Samba4 acquired a NBT server.

The parameter "cldap port" has been removed. CLDAP runs over UDP port 389, we don't see a reason why this should ever be changed to a different port. Moreover, we had several places in the code where Samba did not respect this parameter, so the behaviour was at least inconsistent.

fruit:posix_rename
------------------
This option of the vfs_fruit VFS module that could be used to enable POSIX directory rename behaviour for OS X clients has been removed as it could result in severe problems for Windows clients. As a possible workaround it is possible to prevent creation of .DS_Store files (a Finder thingy to store directory view settings) on network mounts by running

$ defaults write com.apple.desktopservices DSDontWriteNetworkStores true

on the Mac.

smb.conf changes
================

Parameter Name                       Description      Default
--------------                                   -----------             -------
smb3 directory leases              New                   Auto
vfs mkdir use tmp name          New                   Auto
client netlogon ping protocol  New                   cldap
himmelblaud hello enabled    New                   no
himmelblaud hsm pin path     New                   default hsm pin path
himmelblaud sfa fallback        New                   no
client use krb5 netlogon          Experimental    no
reject aes netlogon servers     Experimental    no
server reject aes schannel       Experimental    no
server support krb5 netlogon Experimental    no
fruit:posix_rename                   Removed
cldap port                                  Removed

CHANGES SINCE 4.22.0rc4
=======================
o Ralph Boehme <slow@samba.org> * BUG 15801: `NT_STATUS_ACCESS_DENIED making remote directory` on OpenBSD.
o Anoop C S <anoopcs@samba.org> * BUG 15797: Unable to connect to CephFS subvolume shares with vfs_shadow_copy2.
o Stefan Metzmacher <metze@samba.org> * BUG 15801: `NT_STATUS_ACCESS_DENIED making remote directory` on OpenBSD.
o Martin Schwenke <mschwenke@ddn.com> * BUG 15820: Incorrect FSF address in ctdb pcp scripts.
o Andrea Venturoli <ml@netfence.it> * BUG 15804: "samba-tool domain backup offline" hangs.

CHANGES SINCE 4.22.0rc3
=======================
o Stefan Metzmacher <metze@samba.org> * BUG 15815: client use krb5 netlogon is experimental and should not be used in production.

CHANGES SINCE 4.22.0rc2
=======================

o Douglas Bagnall <douglas.bagnall@catalyst.net.nz> * BUG 15738: Creation of GPOs applicable to more than one group is impossible with Samba 4.20.0 and later.
o Björn Baumbach <bb@sernet.de> * BUG 15806: samba-tool acl commands broken for relative path names * BUG 15807: pysmbd seg faults when file is not found.
o Ralph Boehme <slow@samba.org> * BUG 15796: Spotlight search results don't show file size and creation date.
o Pavel Filipenský <pfilipensky@samba.org> * BUG 15759: net ads create/join/winbind producing unix dysfunctional keytabs.
o Volker Lendecke <vl@samba.org> * BUG 15806: samba-tool acl commands broken for relative path names. * BUG 15807: pysmbd seg faults when file is not found.
o Stefan Metzmacher <metze@samba.org> * BUG 15680: Trust domains are not created.  
o Andreas Schneider <asn@samba.org> * BUG 15680: Trust domains are not created.
o Shweta Sodani <ssodani@redhat.com> * BUG 15703: General improvements for vfs_ceph_new module.

CHANGES SINCE 4.22.0rc1
=======================
o Björn Baumbach <bb@sernet.de> * BUG 15798: libnet4: seg fault after dc lookup failure