Samba 4.22 Features added/changed

From SambaWiki

Samba 4.22 is Current Stable Release.

Samba 4.22.0

Release Notes for Samba 4.22.0
March 06, 2025

Release Announcements

This is the first stable release of the Samba 4.22 release series.

Please read the release notes carefully before upgrading.

NEW FEATURES/CHANGES

SMB3 Directory Leases

Starting with Samba 4.22 SMB3 Directory Leases are supported. The new global option "smb3 directory leases" controls whether the feature is enabled or not. By default, SMB3 Directory Leases are enabled on non-clustered Samba and disabled on clustered Samba, based on the "clustering" option. See man smb.conf for more details.

SMB3 Directory Leases allow clients to cache directory listings and, depending on the workload, result in a decent reduction in SMB requests from clients.

Netlogon Ping over LDAP and LDAPS

Samba must query domain controller information via simple queries on the AD rootdse's netlogon attribute. Typically this is done via connectionless LDAP, using UDP on port 389. The same information is also available via classic LDAP rootdse queries over TCP. Samba can now be configured to use TCP via the new "client netlogon ping protocol" parameter to enable running in environments where firewalls completely block port 389 or UDP traffic to domain controllers.

Experimental Himmelblaud Authentication in Samba

Samba now includes experimental support for Azure Entra ID authentication via `himmelblaud`, located in the `rust/` directory. This implementation provides basic authentication and is configured through `smb.conf`, utilizing options such as `realm`, `winbindd_socket_directory`, and `template_homedir`. New global parameters include `himmelblaud_sfa_fallback`, `himmelblaud_hello_enabled`, and `himmelblaud_hsm_pin_path`.

To enable, configure Samba with `--enable-rust --with-himmelblau`.

By increasing the LDB index cache size for certain offline operations that are likely to require large transactions, these are now several times faster.

REMOVED FEATURES

nmbd proxy logon

The "nmbd proxy logon" feature was removed. This was used beforeSamba4 acquired a NBT server.

The parameter "cldap port" has been removed. CLDAP runs over UDP port 389, we don't see a reason why this should ever be changed to a different port. Moreover, we had several places in the code where Samba did not respect this parameter, so the behaviour was at least inconsistent.

fruit:posix_rename

This option of the vfs_fruit VFS module that could be used to enable POSIX directory rename behaviour for OS X clients has been removed as it could result in severe problems for Windows clients.

As a possible workaround it is possible to prevent creation of .DS_Store files (a Finder thingy to store directory view settings) on network mounts by running 

  $ defaults write com.apple.desktopservices DSDontWriteNetworkStores true

on the Mac.

smb.conf changes

 Parameter Name                          Description     Default
 --------------                          -----------     -------
 smb3 directory leases                   New             Auto
 vfs mkdir use tmp name                  New             Auto
 client netlogon ping protocol           New             cldap
 himmelblaud hello enabled               New             no
 himmelblaud hsm pin path                New             default hsm pin path
 himmelblaud sfa fallback                New             no
 client use krb5 netlogon                Experimental    no
 reject aes netlogon servers             Experimental    no
 server reject aes schannel              Experimental    no
 server support krb5 netlogon            Experimental    no
 fruit:posix_rename                      Removed
 cldap port                              Removed


CHANGES SINCE 4.22.0rc4

  • Ralph Boehme <slow at samba.org>
  • BUG 15801: `NT_STATUS_ACCESS_DENIED making remote directory` on OpenBSD.
  • Anoop C S <anoopcs at samba.org>
  • BUG 15797: Unable to connect to CephFS subvolume shares with vfs_shadow_copy2.
  • Stefan Metzmacher <metze at samba.org>
  • BUG 15801: `NT_STATUS_ACCESS_DENIED making remote directory` on OpenBSD.
  • Martin Schwenke <mschwenke at ddn.com>
  • BUG 15820: Incorrect FSF address in ctdb pcp scripts.
  • Andrea Venturoli <ml at netfence.it>
  • BUG 15804: "samba-tool domain backup offline" hangs.

CHANGES SINCE 4.22.0rc3

  • Stefan Metzmacher <metze@samba.org>
  • BUG 15815: client use krb5 netlogon is experimental and should not be used in production.

CHANGES SINCE 4.22.0rc2

  • Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
  • BUG 15738: Creation of GPOs applicable to more than one group is impossible with Samba 4.20.0 and later.
  • Bjoern Baumbach <bb@sernet.de>
  • BUG 15806: samba-tool acl commands broken for relative path names
  • BUG 15807: pysmbd seg faults when file is not found.
  • Ralph Boehme <slow@samba.org>
  • BUG 15796: Spotlight search results don't show file size and creation date.
  • Pavel Filipenský <pfilipensky@samba.org>
  • BUG 15759: net ads create/join/winbind producing unix dysfunctional keytabs.
  • Volker Lendecke <vl@samba.org>
  • BUG 15806: samba-tool acl commands broken for relative path names.
  • BUG 15807: pysmbd seg faults when file is not found.
  • Stefan Metzmacher <metze@samba.org>
  • Andreas Schneider <asn@samba.org>
  • Shweta Sodani <ssodani@redhat.com>
  • BUG 15703: General improvements for vfs_ceph_new module.

CHANGES SINCE 4.21.0rc1

  • Björn Baumbach <bb at sernet.de>
  • BUG 15798: libnet4: seg fault after dc lookup failure

KNOWN ISSUES

Release_Planning_for_Samba_4.22#Release_blocking_bugs
Retrieved from "https://wiki.samba.org/index.php?title=Samba_4.22_Features_added/changed&oldid=19482"