Samba 4.24.0 ships Kerberos hardening and a CVE fix for domain encryption defaults
Samba 4.24.0 arrived carrying a set of Kerberos security changes aimed at Active Directory deployments. The release fixes a vulnerability, extends audit coverage for sensitive AD attributes, and introduces configuration options to counter two related Kerberos impersonation techniques.
A CVE drives the encryption default change
The most directly security-relevant change in 4.24.0 is a shift in default encryption types for Kerberos. The kdc default domain supported enctypes parameter now defaults to AES-128 and AES-256 (specifically aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96) on domains running at the 2008 functional level or above. This change addresses CVE-2026-20833.
Kerberos canonicalization controls
Two new KDC configuration options target the “dollar ticket” attack, a technique in which an attacker who can create arbitrary machine accounts obtains Kerberos tickets for Unix user accounts by mimicking their names with an appended dollar sign.
The option kdc require canonicalization lets administrators require that clients explicitly request principal name canonicalization. Clients that do not request it will have their AS_REQ requests rejected as if the account were unknown. The default is no for backward compatibility. Windows clients request canonicalization by default, so the release notes recommend setting this to yes in Windows-heavy environments.
For environments where requiring canonicalization is not possible, the option kdc name match implicit dollar without canonicalization can be set to no. This disables the KDC behavior of appending a dollar sign to unmatched names for clients that did not request canonicalization.
The release notes include a recommended KDC configuration table: strong certificate binding enforcement set to full, kdc always include pac set to yes, and kdc require canonicalization set to yes.
PAC always included
Samba 4.24.0 changes the KDC to ignore the PA-PAC-REQUEST value sent by clients and include a Privilege Attribute Certificate (PAC) in all responses by default. The prior behavior, where the KDC honored client requests to omit the PAC, can be restored by setting kdc always generate pac = no.
The KDC also now sends services the canonicalized client name from the PAC, using the sAMAccountName, rather than trusting the cname field. This applies to the Heimdal KDC only; the MIT KDC is unaffected. The prior behavior is available via krb5 acceptor report canonical client name = no.
PKINIT key trust and certificate mapping
Samba AD domain controllers using the embedded Heimdal KDC now support Windows Hello for Business Key-Trust logons. This implements PKINIT authentication with self-signed keys, storing public key details in the msDS-KeyCredentialLink attribute. Two new samba-tool subcommands support this: keytrust for setting and viewing public key details on user and computer accounts, and generate-csr for generating certificate signing requests that include the Object SID extension (OID 1.3.6.1.4.1.311.25.2).
Certificate-based authentication now follows Microsoft KB5014754 enforcement. The default mode (full) permits only strong certificate mappings. The compatibility mode allows weak mappings where the certificate predates the user account. A none setting allows any mappings. Certificates containing the Object SID extension qualify as strong mappings under KB5014754.
Updates to the msDS-KeyCredentialLink attribute are validated against the rules in MS-ADTS 3.1.1.5.3.1.1.6.
Authentication attribute audit logging
The dsdb_password_audit and dsdb_password_json_audit debug classes now log changes to five AD attributes: altSecurityIdentities, dNSHostName, msDS-AdditionalDnsHostName, msDS-KeyCredentialLink, and servicePrincipalName. In JSON logs, changes to these attributes appear with the action field set to Auth info change. The release notes describe these attributes as not secret but relied upon in certain authentication paths, where unauthorized changes could indicate surreptitious activity.
Remote password management compatibility
Samba AD now recognizes the password policy hints control used by Microsoft Entra ID self-service password reset (SSPR) and Keycloak. Previously, Samba rejected password resets that used this control. The change means that password resets originating from Entra ID or Keycloak will be evaluated against on-premises password policies, including history and age checks, in the same way a local password change would be.
Storage and I/O additions
On the file system side, the vfs_streams_xattr module gains the ability to shard a single stream across multiple extended attributes. The streams_xattr:max xattrs per stream parameter accepts values above 1, with a limit of 16, allowing streams up to 1 MB on file systems like XFS where per-attribute size is capped at 64 KB.
A new VFS module, vfs_aio_ratelimit, lets administrators set throughput ceilings on asynchronous I/O operations, expressed in either operations per second or bytes per second. The module uses a token-based algorithm to track real-time load and injects millisecond delays when operations exceed the defined threshold.
The ceph_new VFS module adds support for CephFS FSCrypt, enabling per-share data and file name encryption. Key retrieval uses the Keybridge protocol, an RPC mechanism based on Varlink that communicates over a UNIX socket. A KMIP-compatible Keybridge server is available through the sambacc project.