Samba 4.22 Features added/changed
Samba 4.22 is Current Stable Release.
Samba 4.22.2
- Release Notes for Samba 4.22.2
- June 05, 2025
This is the latest stable release of the Samba 4.22 release series.
- It contains the security-relevant bugfix CVE-2025-0620:
- smbd doesn't pick up group membership changes when re-authenticating an expired SMB session:
Description of CVE-2025-0620
- With Kerberos authentication SMB sessions typically have an associated lifetime, requiring re-authentication by the client when the session expires. As part of the re-authentication, Samba receives the current group membership information and is expected to reflect this change in further SMB request processing.
- For historic reasons, Samba maintains a cache of associations between a user's impersonation information and connected shares. A recent change in this cache caused Samba to not reflect group membership changes from session re-authentication when processing further SMB requests.
- As a result, when an administrator removes a user from a particular group in Active Directory, this change will not become effective unless the user disconnects from the server and establishes a new connection.
Changes since 4.22.1
- Ralph Boehme <slow@samba.org>
- BUG 15707: CVE-2025-0620 [SECURITY] smbd doesn't pick up group membership changes when re-authenticating an expired SMB session.
- Ralph Boehme <slow@samba.org>
- BUG 15861: Profile sync fails due to Directory Leases.
- Pavel Filipenský <pfilipensky@samba.org>
- BUG 15727: net ad join fails with "Failed to join domain: failed to create kerberos keytab".
- Stefan Metzmacher <metze@samba.org>
- BUG 15851: dcerpcd not able to bind to listening port.
- Anoop C S <anoopcs@samba.org>
- BUG 15819: vfs_ceph_snapshots fails to list snapshots for entries at any level beyond share root.
- Martin Schwenke <mschwenke@ddn.com>
- BUG 15858: CTDB does not put nodes running NFS into grace on graceful shutdown.
Release Notes Samba 4.22.2.
Samba 4.22.1
- Release Notes for Samba 4.22.1
- April 17, 2025
This is the latest stable release of the Samba 4.22 release series.
Changes since 4.22.0
- Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
- Ralph Boehme <slow@samba.org>
- Pavel Filipenský <pfilipensky@samba.org>
- BUG 15727: net ad join fails with "Failed to join domain: failed to create kerberos keytab".
- Andreas Hasenack <andreas.hasenack@canonical.com>
- BUG 15774: Running "gpo manage motd set" twice fails with backtrace.
- Xavi Hernandez <xhernandez@redhat.com>
- BUG 15822: Enable support for cephfs case insensitive behavior.
- Volker Lendecke <vl@samba.org>
- Stefan Metzmacher <metze@samba.org>
- Anoop C S <anoopcs@samba.org>
- Shachar Sharon <ssharon@redhat.com>
- BUG 15810: Add async io API from libcephfs to ceph_new VFS module.
Release Notes Samba 4.22.1.
Samba 4.22.0
- Release Notes for Samba 4.22.0
- March 06, 2025
Release Announcements
This is the first stable release of the Samba 4.22 release series.
Please read the release notes carefully before upgrading.
NEW FEATURES/CHANGES
SMB3 Directory Leases
Starting with Samba 4.22 SMB3 Directory Leases are supported. The new global option "smb3 directory leases" controls whether the feature is enabled or not. By default, SMB3 Directory Leases are enabled on non-clustered Samba and disabled on clustered Samba, based on the "clustering" option. See man smb.conf for more details.
SMB3 Directory Leases allow clients to cache directory listings and, depending on the workload, result in a decent reduction in SMB requests from clients.
Netlogon Ping over LDAP and LDAPS
Samba must query domain controller information via simple queries on the AD rootdse's netlogon attribute. Typically this is done via connectionless LDAP, using UDP on port 389. The same information is also available via classic LDAP rootdse queries over TCP. Samba can now be configured to use TCP via the new "client netlogon ping protocol" parameter to enable running in environments where firewalls completely block port 389 or UDP traffic to domain controllers.
Experimental Himmelblaud Authentication in Samba
Samba now includes experimental support for Azure Entra ID authentication via `himmelblaud`, located in the `rust/` directory. This implementation provides basic authentication and is configured through `smb.conf`, utilizing options such as `realm`, `winbindd_socket_directory`, and `template_homedir`. New global parameters include `himmelblaud_sfa_fallback`, `himmelblaud_hello_enabled`, and `himmelblaud_hsm_pin_path`.
To enable, configure Samba with `--enable-rust --with-himmelblau`.
AD DC schema upgrade and provision performance improvements
By increasing the LDB index cache size for certain offline operations that are likely to require large transactions, these are now several times faster.
REMOVED FEATURES
nmbd proxy logon
The "nmbd proxy logon" feature was removed. This was used beforeSamba4 acquired a NBT server.
The parameter "cldap port" has been removed. CLDAP runs over UDP port 389, we don't see a reason why this should ever be changed to a different port. Moreover, we had several places in the code where Samba did not respect this parameter, so the behaviour was at least inconsistent.
fruit:posix_rename
This option of the vfs_fruit VFS module that could be used to enable POSIX directory rename behaviour for OS X clients has been removed as it could result in severe problems for Windows clients.
As a possible workaround it is possible to prevent creation of .DS_Store files (a Finder thingy to store directory view settings) on network mounts by running
$ defaults write com.apple.desktopservices DSDontWriteNetworkStores true
on the Mac.
smb.conf changes
Parameter Name Description Default -------------- ----------- ------- smb3 directory leases New Auto vfs mkdir use tmp name New Auto client netlogon ping protocol New cldap himmelblaud hello enabled New no himmelblaud hsm pin path New default hsm pin path himmelblaud sfa fallback New no client use krb5 netlogon Experimental no reject aes netlogon servers Experimental no server reject aes schannel Experimental no server support krb5 netlogon Experimental no fruit:posix_rename Removed cldap port Removed
CHANGES SINCE 4.22.0rc4
- Ralph Boehme <slow at samba.org>
- BUG 15801: `NT_STATUS_ACCESS_DENIED making remote directory` on OpenBSD.
- Anoop C S <anoopcs at samba.org>
- BUG 15797: Unable to connect to CephFS subvolume shares with vfs_shadow_copy2.
- Stefan Metzmacher <metze at samba.org>
- BUG 15801: `NT_STATUS_ACCESS_DENIED making remote directory` on OpenBSD.
- Martin Schwenke <mschwenke at ddn.com>
- BUG 15820: Incorrect FSF address in ctdb pcp scripts.
- Andrea Venturoli <ml at netfence.it>
- BUG 15804: "samba-tool domain backup offline" hangs.
CHANGES SINCE 4.22.0rc3
- Stefan Metzmacher <metze@samba.org>
- BUG 15815: client use krb5 netlogon is experimental and should not be used in production.
CHANGES SINCE 4.22.0rc2
- Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
- BUG 15738: Creation of GPOs applicable to more than one group is impossible with Samba 4.20.0 and later.
- Bjoern Baumbach <bb@sernet.de>
- Ralph Boehme <slow@samba.org>
- BUG 15796: Spotlight search results don't show file size and creation date.
- Pavel Filipenský <pfilipensky@samba.org>
- BUG 15759: net ads create/join/winbind producing unix dysfunctional keytabs.
- Volker Lendecke <vl@samba.org>
- Stefan Metzmacher <metze@samba.org>
- BUG 15680: Trust domains are not created.
- Andreas Schneider <asn@samba.org>
- BUG 15680: Trust domains are not created.
- Shweta Sodani <ssodani@redhat.com>
- BUG 15703: General improvements for vfs_ceph_new module.
CHANGES SINCE 4.21.0rc1
- Björn Baumbach <bb at sernet.de>
- BUG 15798: libnet4: seg fault after dc lookup failure
KNOWN ISSUES
Release_Planning_for_Samba_4.22#Release_blocking_bugs