The Samba developers have released version 4.24.0rc1 for testing purposes only, which means it's not yet ready for general use. However, once officially released, it will bring significant usability boosts, including improved security and system performance. Key new features include remote password management across various identity systems and support for Windows Hello-style key-trust logons with self-signed keys. Additionally, a Virtual File System (VFS) module has been added to handle asynchronous I/O and enforce limits on rapid operations, while underlying tech improvements also enhance authentication security.

Samba 4.24.0rc1 released

Samba developers have released 4.24.0rc1 for testing purposes only. This isn't ready for prime time just yet; it's a candidate build meant to get the community involved before finalizing the version. If you encounter any problems or odd behaviors, report them.

When Samba 4.24 officially lands, expect some real-world usability boosts. Key changes focus on security, how users authenticate, and system performance tuning. One notable new feature is support for remote password management across various identity systems, not just Active Directory but also setups like Entra ID or Keycloak.

This means those services can now update user passwords stored in their databases directly within an AD environment without needing the Samba server to handle the old credential during this process. It's a bit more secure that way, potentially avoiding certain transmission risks associated with older methods.

Alongside password changes, there's also new flexibility built into the authentication system itself. Think about it: Kerberos PKINIT KeyTrust logons are now supported. That basically means you can integrate Windows Hello for Business-style Key-Trust logons even if things aren't perfectly set up or running on official certificates, which is handy because self-signed keys often get used in specific environments.

But security isn't the only focus. System performance is getting a look-in too, thanks to a new Virtual File System (VFS) module that handles asynchronous I/O with more finesse. Administrators can now enforce limits on how fast async operations run using this tool. It analyzes real-time load and automatically adds small delays when throughput gets too high.

The underlying tech also got attention. Samba's response from the Kerberos Key Distribution Center (KDC) now includes PAC (Principal Context Attributes), which helps secure authentication flows by adding more context checks. Clients are also being nudged to request canonicalization, a process that ensures user names are handled correctly across domains.

For developers working on accounts and computers, there's practical help available too. Two new samba-tool subcommands have landed: generate-csr makes it easier to create certificate signing requests for accounts with specific extensions (like Object SID ones), while the keytrust command helps add details about public keys used in self-signed certificates.

If you're interested in the details, explore the new VFS module documentation. The release notes covering all these changes and the source code itself is available from here if you need to dig in.