The Samba team has released version 4.24, marking the first stable update that enhances security for Linux-based Active Directory controllers by defaulting to AES encryption and enforcing stricter certificate bindings. This update addresses vulnerabilities in older authentication protocols and introduces new samba-tool commands for managing Windows Hello keys, improving compatibility with cloud password reset systems like Entra ID. Administrators should note the shift to AES encryption types and enhanced audit logging capabilities, which help in monitoring changes to sensitive attributes and prevent specific replay attack vulnerabilities. Overall, this upgrade offers significant security improvements and facilitates better integration with modern Windows authentication standards, although administrators should review their smb.conf settings to avoid locking out legacy clients
Samba 4.24.0 released
The Samba team has released version 4.24 as the first stable update for this series, bringing essential security hardening to Linux-based Active Directory controllers. Defaulting to AES encryption types and enforcing stricter certificate bindings helps plug vulnerabilities that previously allowed attackers to exploit weaker authentication protocols. Administrators will find the new samba-tool commands for managing Windows Hello keys particularly useful alongside improved compatibility with cloud password reset systems like Entra ID. It remains a solid upgrade for any server acting as a domain controller, provided administrators review their smb.conf settings to ensure legacy clients do not get locked out by the stricter Kerberos policies.
