Samba 4.24 Features added/changed
Samba 4.24 is Current Stable Release.
Samba 4.24.2
- Release Notes for Samba 4.24.2
- May 12, 2026
This is the latest stable release of the Samba 4.24 release series.
Changes since 4.24.1
- Vinit Agnihotri <vagnihot@redhat.com>
- BUG 16038: Samba 4.24 with cups can't get queue and shows errors about fetch_share_cache_time
- Thales Antunes de Oliveira Barretto <thales.barretto.git@gmail.com>
- BUG 16043: Fix a directory file descriptor leak in vfs_glusterfs that caused unbounded memory growth on the GlusterFS brick with persistent SMB2 connections.
- Ralph Boehme <slow@samba.org>
- BUG 16030: Windows Offline Files fails with permission error when directory has the read‑only attribute set
- Pavel Filipenský <pfilipensky@samba.org>
- Björn Jacke <bjacke@samba.org>
- BUG 16076: samba-tool shows wrong format specifiers for timestamp attributes
- Stefan Metzmacher <metze@samba.org>
- BUG 14638: restrict anonymous = 2 breaks RODC functionality
- BUG 15973: smbpasswd can crash winbindd on an AD DC
- BUG 15995: smbd does not cleanup on disconnect of the transport connection on lease break errors
- BUG 16059: CVE-2026-40170: thirdparty ngtcp2 needs to be updated
- BUG 16067: Require NTLMv2 session security on Windows makes trusts to Samba unusable
- BUG 16073: Winbind can change Ownership Of / To A User Who has Homedir / In passwd
- Andreas Schneider <asn@samba.org>
- BUG 15987: Winbind lsa_OpenPolicy() fails on lsa connection setup with: NT_STATUS_RPC_CANNOT_SUPPORT
- Shachar Sharon <ssharon@redhat.com>
- BUG 16068: CTDB read-only record handling contains use after free and resource leak bugs
Release Notes Samba 4.24.2.
Samba 4.24.1
- Release Notes for Samba 4.24.1
- April 17, 2026
This is the latest stable release of the Samba 4.24 release series.
Changes since 4.24.0
- Björn Jacke <bjacke@samba.org>
- BUG 16057: autobuild fails if /proc/version contains trailing space
- Stefan Metzmacher <metze@samba.org>
- BUG 16035: use after free in streams_xattr_connect()
- Noel Power <noel.power@suse.com>
- Andreas Schneider <asn@samba.org>
Release Notes Samba 4.24.1.
Samba 4.24.0
- Release Notes for Samba 4.24.0
- March 18, 2026
Release Announcements
This is the first stable release of the Samba 4.24 release series.
Please read the release notes carefully before upgrading.
NEW FEATURES/CHANGES
Authentication information audit support
There are some Active Directory attributes that are not secret, but are relied on in some forms of authentication. Changes to these attributes could indicate surreptitious activity. The "dsdb_password_audit" and "dsdb_password_json_audit" debug classes now log changes to the following attributes:
- altSecurityIdentities
- dNSHostName
- msDS-AdditionalDnsHostName
- msDS-KeyCredentialLink
- servicePrincipalName
For the JSON logs, changes to these will be logged with the "action" field set to "Auth info change".
vfs_streams_xattr can hold larger streams
On Linux the size of a single extended attribute is limited to 65536 bytes of size. For some file systems, this is also the overall limit of space for xattrs, but for example xfs can hold more than that 64k of extended xattrs, although the individual xattr is still limited to 64k. Setting
streams_xattr:max xattrs per stream = 1
to a higher value than 1 will allow Samba to shard the stream to more than one xattr. It has an artificial limit of 16 for a maximum stream length of 1MB.
Support for remote password management (Entra ID SSPR, Keycloak)
When a system such as Entra ID or Keycloak wants to change a user's password in its own database as well as in AD, it will use a password reset, meaning it does not transmit the old password to the domain controller. Normally a password reset avoids password history and age checks, which would allow a cloud password change to bypass on-premises password policies. To address this, a password reset using the "policy hints" control should respect password policies, as if it were an ordinary password change. Both Entra ID and Keycloak use this, but until now Samba did not understand this control, and would reject these reset requests.
Now Samba AD will recognise the policy hints control and enforce local policy. This allows Microsoft Entra self-service password reset (SSPR) to work, and for Keycloak to work with the "password policy hints enabled" option.
Kerberos PKINIT KeyTrust logon support
Samba servers configured with the embedded heimdal KDC and running as an ADDC, now support "Windows Hello for Business Key-Trust logons". This allows the PKINIT authentication mechanism to be used with self-signed keys.
The samba-tool computer and user commands have a new "keytrust" sub-command which allows for the setting and viewing of the public key details for computer and user accounts. This stores the public key details in msDS-KeyCredentialLink attribute of the account.
msDS-KeyCredentialLink validation
Updates to the msDS-KeyCredentialLink attribute are validated against the rules specified by MS-ADTS 3.1.1.5.3.1.1.6.
Kerberos PKINIT strong/flexible key mappings
Samba servers configured with the embedded heimdal KDC and running as an ADDC now support "Windows Strong and Flexible key mappings" as outlined in Microsoft KB5014754: Certificate-based authentication changes on Windows domain controllers.
The default enforcement mode ("full") allows only strong certificate mappings. The smb.conf option
strong certificate binding enforcement = compatibility
will allow weak mappings where the certificate is newer than the user account. The option "none" will allow any mappings. The mappings for an account should be placed in the altSecurityIdentities attribute and follow the syntax documented in KB5014754.
Kerberos PKINIT SID extension
PKINIT authentication now supports certificates containing an Object SID extension (extension 1.3.6.1.4.1.311.25.2), this is considered to be a STRONG mapping for KB5014754.
The computer and user samba-tool commands have a new sub-command "generate-csr" to generate certificate signing requests.
KDC includes PAC by default
Samba will ignore the value provided by the client in "PA-PAC-REQUEST" and always include a PAC in responses, unless "kdc always generate pac" is set to "no".
KDC can insist clients request canonicalization
Canonicalization of principal client names is not mandatory in Kerberos (per RFC4120), but must be requested by the client. In some circumstances allows a client to deceive Active Directory member servers (known as the "dollar ticket" attack).
The new configuration option "kdc require canonicalization" can be used to require that clients request canonicalization; if they do not, their AS_REQ requests will be rejected as if the account was unknown.
The default value is "no", for backward compatibility. Windows clients will ask for canonicalization by default, so in Windows-heavy environments it is safe and recommended to set this to "yes".
KDC can avoid potentially confusing canonicalization
Currently when the client does not request canonicalization, when the KDC looks up a name and there is no match it will append a "$" to the name and try again. An attacker who can create arbitrary machine accounts can sometimes get tickets for Unix users by mimicking their names (the "dollar ticket" attack).
The configuration option
kdc name match implicit dollar without canonicalization = no
can be used to disable this behaviour for clients that do not request canonicalization. Probably this only affects traditional Unix clients, as Windows clients use canonicalization. If affected clients want a ticket for a machine account, they will have to use the full name including the dollar (e.g. "server$", not "server").
If the "kdc require canonicalization" option cannot be set to "yes" (because some clients do not request canonicalization) setting this option to "no" is a good alternative.
KDC provides Kerberos acceptors with canonical client names
By default the KDC will now send Kerberos services the canonicalized name (the sAMAccountName from the PAC) rather than trusting the cname.
To return to the old behaviour, use
krb5 acceptor report canonical client name = no
in the smb.conf.
This currently affects Heimdal KDC only, not MIT.
KDC recommended configuration:
strong certificate binding enforcement full kdc always include pac yes kdc require canonicalization yes
If unable to use "kdc require canonicalization" = "yes", then "kdc name match implicit dollar without implicit canonicalization" should be set to "no" if possible.
samba tool
Two new sub-commands have been added to the user and computer commands:
- user|computer generate-csr
- Generate a Certificate signing request for an account containing the
- Object SID extension (extension 1.3.6.1.4.1.311.25.2)
- user|computer keytrust
- Add the public key details of a self signed certificate to an account.
- The command supports PEM and DER encoded public keys.
New AIO rate-limiting VFS module
A new VFS stackable module has been introduced to implement rate-limiting for asynchronous I/O operations. Administrators can now enforce throughput ceilings by defining limits in either operations per second or bytes per second. The module utilizes a token-based algorithm to calculate real-time I/O load; when limits are exceeded, it dynamically injects millisecond delays into async operations to maintain the defined threshold.
CephFS FSCrypt support for the VFS ceph_new module
The ceph_new VFS module can now make use of the FSCrypt feature recently added to CephFS. This enhancement enables data and file name encryption on a per share basis. A single CephFS file system may host a mix of encrypted and unencrypted directories.
To obtain the encryption keys needed for FSCrypt the ceph_new module includes support for the Keybridge protocol. Keybridge is an RPC protocol based on Varlink that can retrieve keys from a local service via a UNIX socket. Users can choose to develop a custom Keybridge implementation or use the existing KMIP-compatible Keybridge server available as part of the sambacc project.
Domain encryption types changed to AES by default
The default value of the smb.conf option ‘kdc default domain supported enctypes’ now corresponds to ‘aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96’ (both AES encryption types) if the domain functional level is 2008 or higher. This addresses CVE-2026-20833.
REMOVED FEATURES
smb.conf changes
Parameter Name Description Default -------------- ----------- ------- strong certificate binding enforcement New full certificate backdating compensation New 0 kdc always include pac New yes kdc require canonicalization New no kdc name match implicit dollar without canonicalization
KNOWN ISSUES
CHANGES SINCE 4.24.0rc3
- Volker Lendecke <vl@samba.org>
- BUG 16019: incorrect behavior on rpcclient enumport with rpcd_spoolss
- Gary Lockyer <gary@catalyst.net.nz>
- BUG 16001: altSecurityIdentities X509 issuer DN order is reversed
- Avan Thakkar <athakkar@redhat.com>
- BUG 16000: vfs_aio_ratelimit: introduce burst-aware and persistent state model
CHANGES SINCE 4.24.0rc2
- Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- BUG 15990: No function _python_sysroot defined
- Ralph Boehme <slow at samba.org>
- Pavel Filipenský <pfilipensky at samba.org>
- BUG 15993: 'net ads kerberos kinit' should use also default ccache name from krb5.conf
- Noel Power <noel.power at suse.com>
- BUG 15789: "use-kerberos=desired" broken
- Andreas Schneider <asn at samba.org>
- BUG 15975: source3/libads/kerberos.c sets wrong failure for negative connection cache
- Peter Schwenke <pschwenke at ddn.com>
- Martin Schwenke <mschwenke at ddn.com>
- BUG 15939: CTDB statd_callout_notify notifies unnecessary clients and loses their state
- Jennifer Sutton <jennifersutton at catalyst.net.nz>
- BUG 15998: Backport domain default AES encryption types to 4.24
CHANGES SINCE 4.24.0rc1
- Samuel Cabrero <scabrero@samba.org>
- BUG 15979: possible memory leak on rpc_spoolss
- Pavel Filipenský <pfilipensky@samba.org>
- BUG 15972: Winbind group resolution failure
- Noel Power <noel.power@suse.com>
- BUG 15979: possible memory leak on rpc_spoolss
- Martin Schwenke <mschwenke@ddn.com>
- BUG 15977: ctdbd socket documentation is wrong
- Michael Tokarev <mjt@tls.msk.ru>
- BUG 15976: time_t related build failure on 32bit arch in 4.24.0rc1
Release_Planning_for_Samba_4.24#Release_blocking_bugs
Release Notes Samba 4.24.0.