Samba 4.24.4 Released: Fixes RODC Breakage, Use-After-Free, and Trust Hell
The Samba Team has pushed the latest stable release of the 4.24 series to the download mirrors, bringing a batch of targeted fixes for domain controllers and trust relationships. Samba 4.24.4 is the fourth point release in the 4.24 series.
No new features. No performance overhauls. Just bugs. This is a maintenance release, but the fixes touch areas that can bring hybrid Windows/Linux infrastructure to a grinding halt. If you're running Samba as an Active Directory Domain Controller or managing file shares across the network, this update lands squarely in your lap.
The bug fix rundown
Volker Lendecke squashed BUG 16095, a use-after-free condition lurking in ACL handling. Specifically, the bug triggers when dealing with ACLs that include claims and conditions. Use-after-free bugs are never a good sign; they can lead to crashes or, worse, remote code execution. If you're pushing those kinds of ACLs, you're looking at a potential exploit vector if you skip this update.
Stefan Metzmacher seems to be the hero of this release, handling a cluster of issues. He fixed BUG 14638, a regression where setting restrict anonymous = 2 broke Read-Only Domain Controller functionality. If you've hardened your Samba DCs with that parameter and watched your RODCs go dark, this fix gets you back in business.
Trusts are the nightmare of every sysadmin's Tuesday. Metzmacher addressed BUG 16067, where requiring NTLMv2 session security on Windows made trusts to Samba unusable. The handshake wasn't playing nice, and the trusts fell over. The patch restores functionality without requiring you to weaken your security posture.
Winbindd was also stuck in a loop. BUG 16151 sees winbindd hanging in init_dc_connection_rpc(), returning NT_STATUS_TRUSTED_DOMAIN_FAILURE. If you've seen the logs filling up with that error, the deadlock is gone in 4.24.4.
Andreas Schneider handled BUG 16149, where domain\user formats weren't splitting correctly in smbc_set_credentials_with_fallback(). Gary Lockyer tackled BUG 16092, fixing tautological-compare warnings that some compilers might ignore, which could mask overflow checks.
Keep in mind that if you're using Windows clients that enforce NTLMv2 and you have trusts pointing at Samba, upgrading is less of a recommendation and more of a necessity. The breakage is real.
The version number joke and reality
Samba has been holding the pipe between Linux and Windows since 1992. Andrew Tridgell, a PhD student at the Australian National University, wrote the first version after sniffing DEC Pathworks traffic. It's now June 2026, and we're on version 4.24.4.
Critics often point to the stagnant version number as a sign of age. The code is over three decades old, yet it powers the Active Directory implementations for countless Linux servers, from PaaS providers to enterprise-grade NAS solutions. The fact that 4.24.4 is still fixing critical trust regressions suggests the complexity of the ecosystem hasn't diminished, even if the core is battle-tested. The version number tells you nothing about the workload Samba carries today.
Where to get it
You can grab the uncompressed tarballs and patch files from the stable download directory. The source code is signed with GnuPG ID AA99442FB680B620.
Head here to download the release. The full release notes are available at this location.
If you run into issues, file a bug report under Samba 4.1 and newer in the project's Bugzilla database. The Samba Team is clear about feedback quality. They want detailed reports. Vague complaints get ignored. As the announcement states: "Our Code, Our Bugs, Our Responsibility."
For those who prefer the chatter to stay in their inbox, you can discuss the release on the samba-technical mailing list or join the #samba-technical room on Matrix or IRC. Not cheap on the features front, but exactly what you need if your domain controllers are acting up. That's the job.
