Samba, the open-source suite for file sharing and printing across Windows and Unix systems, has released version 4.24 with stronger Kerberos security, which now enforces AES encryption by default for domains at a 2008 functional level or newer. New KDC configuration options include requiring canonicalization in client requests and improved mitigation of “dollar ticket” attacks.
Samba 4.24 now also recognizes the “policy hints” control used by Microsoft Entra ID and Keycloak, enabling remote password resets to comply with on-premises password policies. This enables integration with Entra ID self-service password reset and similar platforms.
Certificate-based authentication is improved as well. The release adds support for Kerberos PKINIT KeyTrust logons, enabling Windows Hello for Business-style authentication with self-signed keys. Administrators can manage these keys using new samba-tool subcommands, and additional validation is now available for the msDS-KeyCredentialLink attribute.
Regarding authentication auditing, Samba can log changes to non-secret but security-relevant Active Directory attributes, such as servicePrincipalName and dNSHostName.
On the storage side, the vfs_streams_xattr module can now split larger data streams across multiple extended attributes, increasing the effective size limit up to 1 MB. Plus, a new asynchronous I/O rate-limiting VFS module has been introduced, allowing administrators to control throughput based on operations per second or bandwidth.
Moreover, the ceph_new VFS module now supports FSCrypt, enabling per-share encryption of data and filenames. Support for the Keybridge protocol allows secure retrieval of encryption keys from external services.
Additional Kerberos improvements include support for strong, flexible certificate mappings, SID extensions in certificates, and the default inclusion of Privilege Attribute Certificates in responses.
Finally, the release introduces new samba-tool commands for generating certificate signing requests and managing KeyTrust configurations.
For more information, see the release notes.
