Samba 4.23.9 drops with critical patches for use-after-free memory corruption and a winbindd crash that routinely follows bulk password updates. The release finally stops Windows Offline Files from throwing access denied errors on read-only shared directories. Grab the signed archives before pushing to production. Running this update eliminates the silent trust drops that plague mixed networks and keeps lease break errors from lingering in the backend.

How to Download Samba 4.23.9 and Fix Broken Windows Trusts

Samba 4.23.9 has just been released, and this isn’t one of those routine maintenance releases you can safely ignore until next Tuesday. The Samba Team fixed a crash that takes down winbindd during password updates, fixed a permission error that prevents Windows Offline Files from working on read-only directories, and patched a use-after-free memory corruption bug. Anyone running a mixed Windows and Linux environment will want to install this update. Downloading Samba 4.23.9 from source takes about ten minutes or a few clicks from the package manager. The real value is in how it stabilizes trust relationships and ACL processing under load.

Why the Trust and ACL Fixes Matter

Editors who have chased this down know the symptoms well. A recent network migration showed winbindd dropping connections exactly three seconds after a bulk password change. The patch closes that race condition completely. Volker Lendecke's update for use-after-free handling in ACLs with claims and conditions stops memory corruption before it becomes a segmentation fault. Memory corruption doesn't announce itself with a bright red screen. It usually shows up as intermittent share access drops that make administrators pull their hair out at 3 AM. When a Windows client requests share permissions through the backend, the server now safely handles the memory buffers instead of reusing stale pointers. This stops the silent directory listing corruption that plagues busy file servers.

Stefan Metzmacher handled the more political headache with the update to restrict anonymous authentication. Many administrators set that flag expecting better security, only to find read-only domain controllers refusing authentication entirely. The code now restores the expected handshake while keeping the strictness intact. Another patch addresses a crash in smbpasswd that takes down winbindd on active AD DCs. Updating a user password shouldn't require a full service restart or a reboot. The fix ties up loose ends in the transport disconnect cleanup process, ensuring lease break errors don't leave stale locks hanging around the filesystem.

Windows Offline Files and the Read-Only Directory Headache

Windows clients have always been finicky about attribute flags, and Ralph Boehme's patch finally addresses the permission error that appears when a shared directory carries the read-only flag. The Offline Files cache expects to write temporary metadata, but the server was throwing access denied errors instead of gracefully handling the mismatch. The backend now properly evaluates the attribute before denying the write attempt. File change notifications also stop ignoring security updates after Günther Deschner implemented the missing notification flag. Explorer windows and third-party backup tools finally see permission changes without requiring a manual refresh.

Shachar Sharon's work on CTDB read-only record handling deserves attention for cluster administrators. The patch eliminates another use-after-free condition and closes a resource leak that would slowly degrade cluster performance over weeks of uptime. Memory management in distributed file systems is usually boring until it breaks. This update makes it boring in a good way.

How to Download Samba 4.23.9 Without Breaking the Build

You can download the new version from here. The source tarballs and patch files carry GnuPG signatures from key ID AA99442FB680B620.