Samba 4.24 rc2 is now available for download from the official Samba mirror and should only be used in test environments, not production. The release adds audit logging for several AD attributes, supports remote password resets that respect local policies (Entra ID/Keycloak), and introduces Kerberos hardening options such as mandatory canonicalization to block “dollar‑ticket” attacks. New VFS modules provide optional rate‑limiting for async I/O and per‑share encryption on CephFS, but both are unnecessary unless you already have performance or security problems that require them. 

How to Get Samba 4.24 rc2 Download and What’s Worth Testing

The Samba 4.24 rc2 release is now on the official download page. This article shows where to grab the tarball, highlights the most interesting changes for a test lab, and points out a few additions that probably aren’t worth the extra configuration hassle.

Grab the RC from the official mirror

The uncompressed source lives at https://download.samba.org/pub/samba/rc/. Look for files named samba-4.24.0rc2.tar.gz and its matching .asc signature if verification is required. After downloading, verify the GPG signature with the key ID AA99442FB680B620 – that’s the same key used for every official Samba release.

wget https://download.samba.org/pub/samba/rc/samba-4.24.0rc2.tar.gz
wget https://download.samba.org/pub/samba/rc/samba-4.24.0rc2.tar.gz.asc
gpg --keyserver hkps://keys.openpgp.org --recv-keys AA99442FB680B620
gpg --verify samba-4.24.0rc2.tar.gz.asc samba-4.24.0rc2.tar.gz

If the signature checks out, extract and compile as usual:

tar xzf samba-4.24.0rc2.tar.gz
cd samba-4.24.0rc2
./configure --enable-debug --with-systemd
make -j$(nproc)
sudo make install

The steps aren’t fancy, but they keep the build reproducible and let you compare against a clean source tree.

Is this RC worth testing in your environment?

Samba 4.24 is still labeled “testing only”, so production use is a hard no‑no. However, if the lab already runs an AD‑compatible domain controller on Linux, the new features can be explored without breaking anything critical.

One administrator reported that after a recent driver update, a Windows 11 workstation stopped authenticating via Kerberos until the “kdc require canonicalization” option was toggled to yes. The change forced clients to request canonical names and eliminated a stray “dollar‑ticket” issue that had been lurking for months.

If you don’t need that level of Kerberos hardening, you can leave the default (no) and avoid potential compatibility headaches with older UNIX clients.

Authentication‑audit logging – finally useful?

The release adds two debug classes (dsdb_password_audit and dsdb_password_json_audit) that log changes to attributes such as altSecurityIdentities, servicePrincipalName, and a few others. The JSON output includes an "action":"Auth info change" field, making it easier for SIEM pipelines to pick up suspicious modifications.

For most small‑office setups the extra noise is negligible, but in a security‑focused lab the logs give a clear view of who touched what. Just remember to enable the debug classes in smb.conf; otherwise the feature sits idle.

Remote password resets via Entra ID or Keycloak

Samba now respects the “policy hints” control on password‑reset requests, meaning cloud‑based self‑service reset (SSPR) won’t bypass local password history or complexity rules. If you run Azure AD Connect or a Keycloak gateway, this is a genuine quality‑of‑life improvement.

The downside: the feature only works with the embedded Heimdal KDC. Environments still using MIT KDC will see the request rejected, so double‑check your KDC choice before enabling it.

New AIO rate‑limiting VFS module – clever or overkill?

A stackable VFS called aio_rate_limit can throttle async I/O by operations per second or bytes per second. The token bucket algorithm injects millisecond sleeps when the ceiling is exceeded.

In practice, most home labs never hit the limits that trigger throttling. Setting it up requires adding a few lines to each share definition and tuning values through trial and error. If you’re not already battling I/O saturation on a busy file server, skip this module – it adds complexity without visible benefit.

CephFS FSCrypt support – encrypt per‑share

The ceph_new VFS now talks to the Keybridge protocol to fetch encryption keys for CephFS’s FSCrypt feature. This lets you turn on encryption for individual shares while leaving others plain.

For anyone already using Ceph as backend storage, the integration is a solid step forward. The only catch is that you need a working Keybridge daemon (or the KMIP‑compatible server from the sambacc project). Deploying that service just to test one encrypted share may feel like overkill, but the code path is clean and well‑documented.

Recommended KDC hardening defaults

Samba’s own recommendations for a secure Kerberos setup are:

strong certificate binding enforcement = full
kdc always include pac = yes
kdc require canonicalization = yes

If any client refuses to request canonicalization, the alternative kdc name match implicit dollar without canonicalization = no helps mitigate “dollar‑ticket” attacks without breaking legacy Unix tools.

Quick sanity check list before you start

1. Verify GPG signature of the tarball.
2. Compile with --enable-debug if you plan to poke around the new code paths.
3. Enable the audit debug classes only on a test domain controller.
4. Turn on kdc require canonicalization after confirming all Windows clients request it.
5. Skip aio_rate_limit unless you have concrete I/O throttling needs.

Give the RC a spin, break something, file a bug, and help push Samba 4.24 toward a stable release.