Samba 4.24.0rc3: Fresh Features for AD Administrators
Samba 4.24.0rc3 has just landed, and it’s a treasure trove of tweaks that will make life easier (and sometimes more secure) for anyone running an on‑premise Active Directory. The release candidate isn’t meant for production yet, but it already shows how the team is tightening policy enforcement and adding useful tooling.
Samba 4.24.0rc3: New Features Worth Noting
The biggest headline is the new support for policy hints during password resets. If you’re using Microsoft Entra ID or Keycloak to let users change passwords in the cloud, you’ve probably seen their resets slip through without triggering local history or age checks—just a quick pass that bypasses your on‑prem policy. Samba now understands the “policy hints” control and will apply the same rules as a normal password change, so your local AD keeps its integrity while still letting the cloud service do its thing.
Another win is the extended PKINIT handling. The embedded Heimdal KDC can now accept Windows Hello for Business key‑trust logons with self‑signed certificates, thanks to new keytrust subcommands that stash public keys in the msDS-KeyCredentialLink attribute. For admins who run their own certificate authorities, the added generate-csr command makes it simple to create a CSR that carries the required SID extension for strong mapping.
The release also brings a fresh rate‑limiting VFS module. If your Samba shares are being hammered by heavy async I/O, you can now set an operations‑per‑second or bytes‑per‑second ceiling and let the module inject tiny delays when the ceiling is exceeded. That keeps your storage backend from blowing up under peak traffic without having to rewrite scripts.
What Changed for Admins
Samba 4.24.0rc3 flips a number of defaults that affect Kerberos behavior. The KDC will now include a PAC in every response unless you explicitly turn that off, and it can insist on canonicalized principal names—something Windows clients already do by default. If you’re still supporting older Unix tools that skip canonicalization, set kdc require canonicalization = no but consider tightening the rule for safety.
The new strong certificate binding enforcement = full option means only strong certificate mappings are accepted unless you opt for compatibility or none. That aligns the server with Microsoft KB5014754 recommendations and closes a small but real attack surface involving weak mapping.
Some config knobs have been removed altogether: kdc always include pac, kdc require canonicalization, and others now default to values that are more secure out of the box. If your current smb.conf contains these legacy options, delete them or let Samba rewrite the file during upgrade.
Quick Upgrade Checklist
- Download the signed tarball and verify it with GPG key AA99442FB680B620.
- Check out the release notes for a full list of changes and known issues.
- Back up your existing smb.conf before testing; remove any deprecated options that appear in the “REMOVED FEATURES” table.
- Run ./configure --with-default-passwd=sha512 (or whatever you use) and compile as usual.
- Test SSPR or Keycloak password resets in a staging environment to confirm policy hints are working.
- If you rely on async I/O, experiment with the new AIO‑rate‑limit module by adding vfs objects = aio_rate_limit followed by your limits.
That’s all there is to it—just a few steps and a handful of settings changes, but one that can make a difference in how your domain enforces policy and handles modern authentication flows. If anything goes sideways, file a bug on Samba’s Bugzilla; the team is quick to respond when you provide clear logs.
Enjoy testing this candidate version. It shows promise for what the next production release will bring—especially if you’re already planning to tighten security or add PKINIT support.
