Samba 4.24.0 Released with Enhanced Kerberos Security and Domain Encryption Fixes

Post Views: 10

Samba 4.24.0 Enhances Kerberos Security and Fixes Domain Encryption Vulnerability

The latest release of Samba, version 4.24.0, includes several security enhancements aimed at improving the security of Active Directory deployments.

Security Enhancements

One of the key changes is a shift in the default encryption types for Kerberos, which addresses a vulnerability tracked as CVE-2026-20833.

The new release sets the default encryption types for Kerberos to AES-128 and AES-256 for domains running at the 2008 functional level or above.

This change is driven by the need to harden Kerberos security and prevent potential attacks.

Kerberos Impersonation Techniques

In addition to the encryption changes, Samba 4.24.0 introduces two new configuration options to counter Kerberos impersonation techniques.

kdc require canonicalization: allows administrators to require clients to explicitly request principal name canonicalization.
kdc name match implicit dollar without canonicalization: can be set to no to disable the KDC behavior of appending a dollar sign to unmatched names for clients that did not request canonicalization.

Privilege Attribute Certificate (PAC) Handling

By default, the KDC will now include a PAC in all responses, ignoring the PA-PAC-REQUEST value sent by clients.

This behavior can be restored by setting kdc always generate pac = no.

Canonicalized Client Name

The KDC now sends services the canonicalized client name from the PAC, using the sAMAccountName, rather than trusting the cname field.

This applies to the Heimdal KDC only, and the prior behavior can be restored by setting krb5 acceptor report canonical client name = no.

Windows Hello for Business Key-Trust Logons

Samba 4.24.0 also introduces support for Windows Hello for Business Key-Trust logons, which implements PKINIT authentication with self-signed keys.

This feature stores public key details in the msDS-KeyCredentialLink attribute, and two new samba-tool subcommands, keytrust and generate-csr, support this functionality.

Certificate-Based Authentication

The release also updates certificate-based authentication to follow Microsoft KB5014754 enforcement, which permits only strong certificate mappings by default.

A compatibility mode allows weak mappings, while a none setting allows any mappings.

Auditing

The dsdb_password_audit and dsdb_password_json_audit debug classes now log changes to five AD attributes:

altSecurityIdentities
dNSHostName
msDS-AdditionalDnsHostName
msDS-KeyCredentialLink
servicePrincipalName

Other Changes

Finally, Samba 4.24.0 includes several other changes, such as the recognition of password policy hints control used by Microsoft Entra ID self-service password reset (SSPR) and Keycloak.

The addition of new VFS modules, including vfs_aio_ratelimit and ceph_new, which provide features such as asynchronous I/O rate limiting and CephFS FSCrypt support.