The Samba project dropped its 4.24 release on March 18, 2026 — and for any Linux team running an on-premises Active Directory environment, this one isn't optional. Samba 4.24 Kerberos hardening, AES-only encryption defaults, and a direct fix for CVE-2026-20833 make this upgrade a security mandate before a convenience.
- Samba 4.24 released on March 18, 2026 — the first stable entry in the 4.24 series, targeting Linux systems acting as Active Directory domain controllers.
- CVE-2026-20833 is patched: Kerberos encryption now defaults to AES-128 and AES-256 on domains running at the Windows Server 2008 functional level or above — weak ciphers are no longer the fallback.
- Two new KDC flags counter the "dollar ticket" impersonation attack — administrators can now enforce strict Kerberos principal canonicalization at the server level.
- Microsoft Entra ID and Keycloak SSPR compatibility added — cloud-triggered password resets now enforce on-premises Samba password policies end-to-end.
- Storage gains are real:
vfs_streams_xattrnow supports streams up to 1 MB on XFS (up from 64 KB), and a new AIO rate-limiting module lets admins throttle async I/O with ops/sec and bytes/sec ceilings.
What Happened
Samba 4.24 Released: What's Driving the Security-First Agenda
After years of quietly powering Linux-to-Windows interoperability on millions of servers globally, the Samba project is sending a clear signal with this release: the era of tolerating weak authentication defaults is over. Samba 4.24.0 landed on March 18, 2026, and the changes packed inside are skewed heavily toward hardening the Kerberos stack that underpins every Active Directory domain controller running on Linux.
This isn't just a maintenance bump. The decision to flip the default Kerberos encryption to AES — and to close a real, tracked vulnerability in the process — puts this release in a category that demands attention from every enterprise team managing hybrid Linux/Windows infrastructure. Read the release notes before you run the upgrade command.
Security
CVE-2026-20833 Explained: Why Weak Defaults Were a Real Threat
The vulnerability at the center of this release wasn't exotic. It came down to the fact that, by default, Samba's KDC would negotiate Kerberos encryption types that included weaker algorithms — leaving the door open for a local attacker to exploit the cryptographic negotiation process and gain access to sensitive authentication data.
Samba 4.24 closes this by making AES-128 (aes128-cts-hmac-sha1-96) and AES-256 (aes256-cts-hmac-sha1-96) the default values for the kdc default domain supported enctypes parameter — but only for domains operating at the Windows Server 2008 functional level or higher. If your domain is still at an older functional level, the old behavior remains. That gap is worth flagging during any upgrade review.
smb.conf and identify any endpoints that cannot negotiate AES. Introducing AES-only defaults without a client compatibility check is a fast path to a domain authentication outage.Technical Details
The "Dollar Ticket" Attack — And How 4.24 Stops It
Alongside the CVE fix, the Samba team has directly addressed a Kerberos impersonation technique that researchers have informally called the "dollar ticket" attack. The mechanism works like this: in Active Directory, machine accounts are conventionally suffixed with a dollar sign (e.g., WORKSTATION$). An attacker who can create arbitrary machine accounts can register one whose name, with a dollar appended, closely mirrors a legitimate Unix user account. Without strict principal name canonicalization enforcement, the KDC could be tricked into issuing tickets for the wrong identity.
Samba 4.24 introduces two new KDC options to shut this down. The first, kdc require canonicalization, lets administrators demand that all Kerberos clients explicitly declare they are requesting principal name canonicalization — clients that skip this step get their authentication requests rejected as though the account doesn't exist. Since Windows clients already request canonicalization by default, the Samba team recommends enabling this in Windows-heavy environments. The second option, kdc name match implicit dollar without canonicalization, specifically controls whether the KDC will append a dollar sign to try to match unrecognized account names — setting it to no cuts off the impersonation vector for environments where full canonicalization enforcement isn't yet possible.
PA-PAC-REQUEST value from clients and always includes a Privilege Attribute Certificate (PAC) in responses. The previous behavior — which respected a client's request to omit the PAC — can be manually restored by setting kdc always generate pac = no in your config, but security teams should scrutinize that decision carefully before reverting.
"Defaulting to AES encryption and enforcing stricter certificate bindings helps plug vulnerabilities that previously let attackers exploit weaker authentication protocols — it's a solid upgrade for any server acting as a domain controller, provided administrators review their smb.conf settings carefully."
— Samba Release Assessment, LinuxCompatible.org, March 2026
What's New at a Glance
Samba 4.24 Feature Breakdown
| Feature Area | What Changed | Admin Action Required? |
|---|---|---|
| Kerberos Encryption | AES-128 & AES-256 now default on 2008+ functional level domains (CVE-2026-20833 fix) | Yes — audit legacy clients |
| Dollar Ticket Defense | Two new KDC flags: kdc require canonicalization and kdc name match implicit dollar without canonicalization |
Recommended — enable in Windows environments |
| PAC Enforcement | KDC always issues PAC regardless of client request; canonicalized sAMAccountName used in service tickets |
Review if custom PAC handling exists |
| PKINIT Key Trust | Windows Hello for Business Key-Trust logons now supported via samba-tool keytrust and generate-csr |
Optional — new capability |
| Certificate Mapping | KB5014754 enforcement: default mode is full (strong mappings only); Object SID extension required for strong binding |
Yes — review certificate chain |
| Entra ID / Keycloak SSPR | Samba now accepts password policy hint controls from Microsoft Entra ID SSPR and Keycloak password resets | No — works automatically |
| vfs_streams_xattr | Streams can now be sharded across up to 16 xattrs, enabling up to 1 MB per stream on XFS | Optional — tune streams_xattr:max xattrs per stream |
| AIO Rate Limiting | New vfs_aio_ratelimit module with ops/sec and bytes/sec ceiling controls using token-based algorithm |
Optional — configure as needed |
| CephFS FSCrypt | Per-share data and filename encryption via ceph_new module using Keybridge/Varlink key retrieval |
Optional — requires Keybridge setup |
| Audit Logging | 5 new AD attributes now logged on change: altSecurityIdentities, dNSHostName, msDS-KeyCredentialLink, and more |
No — automatic if password audit enabled |
New Tooling
samba-tool Gets Windows Hello and Certificate Support
Two new subcommands extend samba-tool in ways that sysadmins integrating with modern Windows infrastructure will appreciate immediately. The keytrust subcommand lets administrators view and set public key data on user and computer accounts — the foundation for supporting Windows Hello for Business Key-Trust authentication flows, where a self-signed key is stored in the msDS-KeyCredentialLink attribute rather than relying on a traditional certificate authority chain.
The generate-csr subcommand handles the creation of certificate signing requests that include the Object SID extension (OID 1.3.6.1.4.1.311.25.2). This extension is the key ingredient for achieving a "strong mapping" under Microsoft's KB5014754 enforcement framework — without it, your certificates fall into the weaker mapping category, which Samba 4.24 no longer accepts by default.
Cloud Identity
Entra ID and Keycloak Password Resets Now Obey Your On-Premises Policies
One of the more practical wins in this release lands for teams running hybrid identity setups. When end users trigger a self-service password reset through Microsoft Entra ID or Keycloak, the reset flow previously sent a password policy hint control alongside the change request. Samba would reject it — meaning the cloud reset succeeded without any awareness of on-premises password history, age restrictions, or complexity rules.
Samba 4.24 now recognizes and correctly processes these hint controls. The result is that a cloud-initiated SSPR flows cleanly through Samba's on-premises policy engine, enforcing the same rules that would apply if the user changed their password locally. For organizations that spent time building workarounds for this gap, this is a meaningful operational simplification.
Storage
Bigger Streams, Smarter I/O — Storage Improvements in Detail
File system admins working with XFS-backed Samba shares will notice the most tangible storage improvement. The vfs_streams_xattr module previously hit a ceiling because XFS caps individual extended attribute values at 64 KB. A single stream larger than that simply couldn't be stored. Samba 4.24 solves this by allowing a stream to be distributed across up to 16 extended attributes — controlled by the new streams_xattr:max xattrs per stream parameter — pushing the practical limit to 1 MB per stream.
The new vfs_aio_ratelimit module addresses a different class of problem: runaway async I/O workloads. Using a token-based rate control algorithm, administrators can now define hard ceilings expressed as either operations per second or bytes per second. When the threshold is reached, the module introduces millisecond-level delays rather than allowing the I/O queue to spiral. For shared storage environments with mixed workload profiles, this kind of throttling control can mean the difference between a degraded share and a stable one.
On the distributed storage side, the ceph_new VFS module now supports CephFS FSCrypt — enabling per-share encryption that covers both file data and file names. Key material is retrieved using the Keybridge protocol (a Varlink-based RPC running over a UNIX domain socket), with a KMIP-compatible Keybridge server available through the open-source sambacc project for teams that don't want to implement their own.
Timeline
How Samba Got Here: A Brief History of the Security Journey
-
12012Samba 4.0 ships as the first version capable of functioning as a full Active Directory domain controller on Linux — a milestone that opened the door to Windows-free AD environments at scale.
-
22022Microsoft begins phasing out RC4 and DES Kerberos encryption in Windows environments, pushing enterprises toward AES. Samba's defaults don't yet follow suit, creating a gap between Windows-native and Linux-hosted domain controllers.
-
32024Microsoft enforces KB5014754 strong certificate mapping in Windows environments, raising the bar for certificate-based Kerberos authentication across Active Directory. Linux AD controllers begin feeling pressure to match this posture.
-
4Early 2026CVE-2026-20833 is tracked and assigned — a vulnerability rooted in Samba's permissiveness around weak Kerberos encryption defaults. The fix is scoped for the 4.24 release cycle.
-
5March 18, 2026Samba 4.24.0 ships — AES becomes the default, the CVE is patched, dollar ticket defense lands, and the tool gains Windows Hello Key-Trust and Entra ID SSPR support in a single release.
How to Upgrade
Upgrading to Samba 4.24 — Package Commands and What to Do First
The package commands themselves are straightforward. On RHEL, Rocky Linux, or AlmaLinux, run dnf update samba. On Ubuntu Server, apt update && apt upgrade samba handles it. But the command is the easy part — preparation is where most teams will spend their time.
Before touching production, work through this sequence: pull up your smb.conf and locate any explicit kdc default domain supported enctypes overrides; identify every client device connecting to this domain and confirm AES Kerberos support; and if your environment includes any application service accounts that use certificate-based authentication, verify those certificates carry the Object SID extension or update your certificate issuance process accordingly.
kdc default domain supported enctypes in smb.conf. (3) Test AES Kerberos on a staging domain controller before rolling to production. (4) Review all service account certificates for Object SID extension compliance. (5) Document any TLS load balancer configurations that terminate LDAP connections before they reach Samba.
LinuxTeck Take
What This Means for Linux Infrastructure Teams
Samba has always had a dual identity: beloved by smaller shops for its flexibility, and viewed with cautious respect by enterprise teams who need it to behave exactly like a Windows domain controller. Samba 4.24 represents the project making a firm, deliberate move toward the enterprise standard — AES encryption, stronger certificate enforcement, Windows Hello parity, and cloud identity integration. That's a meaningful shift in posture.
For Linux sysadmins, the practical message is this: treat this upgrade the way you'd treat a Windows domain controller patch for a known CVE. Read the release notes in full, stage the change, and give your certificate and Kerberos configurations the same attention you'd give any security-critical migration.
For further reading on related Linux security and enterprise networking topics, explore our coverage of Ubuntu desktop vulnerability patching, systemd 260 and modern init architecture, Linux kernel 7.0 development progress, and the Fedora Linux 44 beta release.
LinuxTeck — A Complete Learning Blog
Tech News Stay updated with the latest Linux and open-source news — covering new releases, distro updates, security patches, and enterprise developments, delivered in plain language for sysadmins and developers.
