[Samba] [Announce] Samba 4.24.0rc2 Available for Download

Simon FONTENEAU sfonteneau at tranquil.it
Fri Feb 13 14:53:13 UTC 2026 

Hi

On Samba 4.24.0rc2 we noticed a mismatch in how the 
altSecurityIdentities value is encoded for certificate mapping 
(X509:<I>…<SR>…).

When we set the mapping from RSAT / ADUC (right-click user -> Name 
Mapping…), RSAT stores the Issuer DN in this order:

X509:<I>CN=Intermediate CA 
SAMBA,C=FR,O=SAMBA<SR>e94d23f360ebdd3a11636b78878fdf74b47df179

But Samba expects the Issuer DN with the components in the opposite 
order, e.g.:

X509:<I>O=SAMBA,C=FR,CN=Intermediate CA 
SAMBA<SR>79F17DB474DF8F87786B63113ADDEB60F3234DE9

So it’s simply that the Issuer DN list is reversed between what RSAT 
writes and what Samba is expecting, which makes the mapping unusable 
when configured from Microsoft tools.

Microsoft’s KB about CBA mentions altSecurityIdentities but doesn’t 
clarify this ordering detail:
https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16

There are also community scripts/examples that build X509:<I>…<SR>… by 
reversing the Issuer DN components (which matches what RSAT does):
https://github.com/x746b/AD-Powershell/blob/master/Get-X509IssuerSerialNumberFormat.ps1

https://bugzilla.samba.org/show_bug.cgi?id=16001

Simon

Le 06/02/2026 à 10:53, Björn JACKE via samba a écrit :
> Release Announcements
> =====================
>
> This is the second release candidate release of Samba 4.24.  This is *not*
> intended for production environments and is designed for testing
> purposes only.  Please report any defects via the Samba bug reporting
> system athttps://bugzilla.samba.org/.
>
> Samba 4.24 will be the next version of the Samba suite.
>
>
> UPGRADING
> =========
>
>
> NEW FEATURES/CHANGES
> ====================
>
> Authentication information audit support
> ----------------------------------------
>
> There are some Active Directory attributes that are not secret, but
> are relied on in some forms of authentication. Changes to these
> attributes could indicate surreptitious activity. The
> "dsdb_password_audit" and "dsdb_password_json_audit" debug classes now
> log changes to the following attributes:
>
>   * altSecurityIdentities
>   * dNSHostName
>   * msDS-AdditionalDnsHostName
>   * msDS-KeyCredentialLink
>   * servicePrincipalName
>
> For the JSON logs, changes to these will be logged with the "action"
> field set to "Auth info change".
>
>
> vfs_streams_xattr can hold larger streams
> -----------------------------------------
>
> On Linux the size of a single extended attribute is limited to 65536
> bytes of size. For some file systems, this is also the overall limit
> of space for xattrs, but for example xfs can hold more than that 64k
> of extended xattrs, although the individual xattr is still limited to
> 64k. Setting
>
> streams_xattr:max xattrs per stream = 1
>
> to a higher value than 1 will allow Samba to shard the stream to more
> than one xattr. It has an artificial limit of 16 for a maximum stream
> length of 1MB.
>
>
> Support for remote password management (Entra ID SSPR, Keycloak)
> ----------------------------------------------------------------
>
> When a system such as Entra ID or Keycloak wants to change a user's
> password in its own database as well as in AD, it will use a password
> reset, meaning it does not transmit the old password to the domain
> controller. Normally a password reset avoids password history and age
> checks, which would allow a cloud password change to bypass
> on-premises password policies. To address this, a password reset using
> the "policy hints" control should respect password policies, as if it
> were an ordinary password change. Both Entra ID and Keycloak use this,
> but until now Samba did not understand this control, and would reject
> these reset requests.
>
> Now Samba AD will recognise the policy hints control and enforce local
> policy. This allows Microsoft Entra self-service password reset (SSPR)
> to work, and for Keycloak to work with the "password policy hints
> enabled" option.
>
>
> Kerberos PKINIT KeyTrust logon support
> --------------------------------------
>
> Samba servers configured with the embedded heimdal KDC and running as an ADDC,
> now support "Windows Hello for Business Key-Trust logons". This allows the
> PKINIT authentication mechanism to be used with self-signed keys.
>
> The samba-tool computer and user commands have a new "keytrust"
> sub-command which allows for the setting and viewing of the public key
> details for computer and user accounts. This stores the public key
> details in msDS-KeyCredentialLink attribute of the account.
>
>
> msDS-KeyCredentialLink validation
> ---------------------------------
>
> Updates to the msDS-KeyCredentialLink attribute are validated against the
> rules specified by MS-ADTS 3.1.1.5.3.1.1.6.
>
> Kerberos PKINIT strong/flexible key mappings
> --------------------------------------------
>
> Samba servers configured with the embedded heimdal KDC and running as an ADDC
> now support "Windows Strong and Flexible key mappings" as outlined in
> Microsoft KB5014754: Certificate-based authentication changes on Windows domain
> controllers.
>
> The default enforcement mode ("full") allows only strong certificate
> mappings. The smb.conf option
>
>    strong certificate binding enforcement = compatibility
>
> will allow weak mappings where the certificate is newer than the user
> account. The option "none" will allow any mappings.
>
> The mappings for an account should be placed in the altSecurityIdentities
> attribute and follow the syntax documented in KB5014754.
>
>
> Kerberos PKINIT SID extension
> -----------------------------
>
> PKINIT authentication now supports certificates containing an Object SID
> extension (extension 1.3.6.1.4.1.311.25.2), this is considered to be a STRONG
> mapping for KB5014754.
>
> The computer and user samba-tool commands have a new sub-command
> "generate-csr" to generate certificate signing requests.
>
>
> KDC includes PAC by default
> ---------------------------
>
> Samba will ignore the value provided by the client in "PA-PAC-REQUEST"
> and always include a PAC in responses, unless "kdc always generate
> pac" is set to "no".
>
>
> KDC can insist clients request canonicalization
> -----------------------------------------------
>
> Canonicalization of principal client names is not mandatory in
> Kerberos (per RFC4120), but must be requested by the client. In some
> circumstances allows a client to deceive Active Directory member
> servers (known as the "dollar ticket" attack).
>
> The new configuration option "kdc require canonicalization" can be
> used to require that clients request canonicalization; if they do not,
> their AS_REQ requests will be rejected as if the account was unknown.
>
> The default value is "no", for backward compatibility. Windows clients
> will ask for canonicalization by default, so in Windows-heavy
> environments it is safe and recommended to set this to "yes".
>
> KDC can avoid potentially confusing canonicalization
> ----------------------------------------------------
>
> Currently when the client does not request canonicalization, when the
> KDC looks up a name and there is no match it will append a "$" to the
> name and try again. An attacker who can create arbitrary machine
> accounts can sometimes get tickets for Unix users by mimicking their
> names (the "dollar ticket" attack).
>
> The configuration option
>
>    kdc name match implicit dollar without canonicalization = no
>
> can be used to disable this behaviour for clients that do not request
> canonicalization. Probably this only affects traditional Unix clients,
> as Windows clients use canonicalization. If affected clients want a
> ticket for a machine account, they will have to use the full name
> including the dollar (e.g. "server$", not "server").
>
> If the "kdc require canonicalization" option cannot be set to "yes"
> (because some clients do not request canonicalization) setting this
> option to "no" is a good alternative.
>
>
> KDC provides Kerberos acceptors with canonical client names
> -----------------------------------------------------------
>
> By default the KDC will now send Kerberos services the canonicalized
> name (the sAMAccountName from the PAC) rather than trusting the cname.
>
> To return to the old behaviour, use
>
>    krb5 acceptor report canonical client name = no
>
> in the smb.conf.
>
> This currently affects Heimdal KDC only, not MIT.
>
>
> KDC recommended configuration:
> -----------------------------
> strong certificate binding enforcement                            full
> kdc always include pac                                            yes
> kdc require canonicalization                                      yes
>
> If unable to use "kdc require canonicalization" = "yes", then
> "kdc name match implicit dollar without implicit canonicalization" should be
> set to "no" if possible.
>
> samba tool
> ----------
>
> Two new sub-commands have been added to the user and computer commands:
>
> user|computer generate-csr
>      Generate a Certificate signing request for an account containing the
>      Object SID extension  (extension 1.3.6.1.4.1.311.25.2)
>
> user|computer keytrust
>     Add the public key details of a self signed certificate to an account.
>     The command supports PEM and DER encoded public keys.
>
>
> New AIO rate-limiting VFS module
> --------------------------------
> A new VFS stackable module has been introduced to implement rate-limiting for
> asynchronous I/O operations. Administrators can now enforce throughput ceilings
> by defining limits in either operations per second or bytes per second. The
> module utilizes a token-based algorithm to calculate real-time I/O load; when
> limits are exceeded, it dynamically injects millisecond delays into async
> operations to maintain the defined threshold.
>
>
> CephFS FSCrypt support for the VFS ceph_new module
> --------------------------------------------------
> The ceph_new VFS module can now make use of the FSCrypt feature recently added
> to CephFS. This enhancement enables data and file name encryption on a per
> share basis. A single CephFS file system may host a mix of encrypted and
> unencrypted directories.
>
> To obtain the encryption keys needed for FSCrypt the ceph_new module includes
> support for the Keybridge protocol. Keybridge is an RPC protocol based on
> Varlink that can retrieve keys from a local service via a UNIX socket. Users
> can choose to develop a custom Keybridge implementation or use the existing
> KMIP-compatible Keybridge server available as part of the sambacc project
> (https://github.com/samba-in-kubernetes/sambacc).
>
>
> REMOVED FEATURES
> ================
>
>
> smb.conf changes
> ================
>
>    Parameter Name                          Description     Default
>    --------------                          -----------     -------
>    strong certificate binding enforcement  New             full
>    certificate backdating compensation     New             0
>    kdc always include pac                  New             yes
>    kdc require canonicalization            New             no
>    kdc name match implicit dollar without canonicalization
>                                            New             yes
>
>
> CHANGES SINCE 4.24.0rc1
> =======================
>
> o  Samuel Cabrero<scabrero at samba.org>
>     * BUG 15979: possible memory leak  on rpc_spoolss
>
> o  Pavel Filipenský<pfilipensky at samba.org>
>     * BUG 15972: Winbind group resolution failure
>
> o  Noel Power<noel.power at suse.com>
>     * BUG 15979: possible memory leak  on rpc_spoolss
>
> o  Martin Schwenke<mschwenke at ddn.com>
>     * BUG 15977: ctdbd socket documentation is wrong
>
> o  Michael Tokarev<mjt at tls.msk.ru>
>     * BUG 15976: time_t related build failure on 32bit arch in 4.24.0rc1
>
>
> KNOWN ISSUES
> ============
>
> https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.24#Release_blocking_bugs
>
>
> #######################################
> Reporting bugs & Development Discussion
> #######################################
>
> Please discuss this release on the samba-technical mailing list or by
> joining the #samba-technical:matrix.org matrix room, or
> #samba-technical IRC channel on irc.libera.chat
>
> If you do report problems then please try to send high quality
> feedback. If you don't provide vital information to help us track down
> the problem then you will probably be ignored.  All bug reports should
> be filed under the Samba 4.1 and newer product in the project's Bugzilla
> database (https://bugzilla.samba.org/).
>
>
> ======================================================================
> == Our Code, Our Bugs, Our Responsibility.
> == The Samba Team
> ======================================================================
>
> ================
> Download Details
> ================
>
> The uncompressed tarballs and patch files have been signed
> using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
> from:
>
>          https://download.samba.org/pub/samba/rc/
>
> The release notes are available online at:
>
>          https://download.samba.org/pub/samba/rc/samba-4.24.0rc2.WHATSNEW.txt
>
> Our Code, Our Bugs, Our Responsibility.
> (https://bugzilla.samba.org/)
>
>                          --Enjoy
>                          The Samba Team
>

More information about the samba mailing list