samba: Update to version 4.24.1

- Update from version 4.23.6 to 4.24.1
- Update of rootfiles for all three architectures
- Changelog
4.24.1
   * BUG 16057: autobuild fails if /proc/version contains trailing space
   * BUG 16035: use after free in streams_xattr_connect()
   * BUG 16042: rpc workers with long living clients grow server  memory keytab
   * BUG 16058: vfs_snapper failing to access or enumerate files in subfolders
   * BUG 16040: Samba is not build with FORTIFY_SOURCE
   * BUG 16055: Fix tests with MIT Kerberos 1.22.x
4.24.0
NEW FEATURES/CHANGES
Authentication information audit support
	There are some Active Directory attributes that are not secret, but
	 are relied on in some forms of authentication. Changes to these
	 attributes could indicate surreptitious activity. The
	 "dsdb_password_audit" and "dsdb_password_json_audit" debug classes now
	 log changes to the following attributes:
	   * altSecurityIdentities
	   * dNSHostName
	   * msDS-AdditionalDnsHostName
	   * msDS-KeyCredentialLink
	   * servicePrincipalName
	For the JSON logs, changes to these will be logged with the "action"
	 field set to "Auth info change".
vfs_streams_xattr can hold larger streams
	On Linux the size of a single extended attribute is limited to 65536
	 bytes of size. For some file systems, this is also the overall limit
	 of space for xattrs, but for example xfs can hold more than that 64k
	 of extended xattrs, although the individual xattr is still limited to
	 64k. Setting
	    streams_xattr:max xattrs per stream = 1
	 to a higher value than 1 will allow Samba to shard the stream to more
	 than one xattr. It has an artificial limit of 16 for a maximum stream
	 length of 1MB.
Support for remote password management (Entra ID SSPR, Keycloak)
	When a system such as Entra ID or Keycloak wants to change a user's
	 password in its own database as well as in AD, it will use a password
	 reset, meaning it does not transmit the old password to the domain
	 controller. Normally a password reset avoids password history and age
	 checks, which would allow a cloud password change to bypass
	 on-premises password policies. To address this, a password reset using
	 the "policy hints" control should respect password policies, as if it
	 were an ordinary password change. Both Entra ID and Keycloak use this,
	 but until now Samba did not understand this control, and would reject
	 these reset requests.
	Now Samba AD will recognise the policy hints control and enforce local
	 policy. This allows Microsoft Entra self-service password reset (SSPR)
	 to work, and for Keycloak to work with the "password policy hints
	 enabled" option.
Kerberos PKINIT KeyTrust logon support
	Samba servers configured with the embedded heimdal KDC and running as an ADDC,
	 now support "Windows Hello for Business Key-Trust logons". This allows the
	 PKINIT authentication mechanism to be used with self-signed keys.
	The samba-tool computer and user commands have a new "keytrust"
	 sub-command which allows for the setting and viewing of the public key
	 details for computer and user accounts. This stores the public key
	 details in msDS-KeyCredentialLink attribute of the account.
msDS-KeyCredentialLink validation
	Updates to the msDS-KeyCredentialLink attribute are validated against the
	 rules specified by MS-ADTS 3.1.1.5.3.1.1.6.
Kerberos PKINIT strong/flexible key mappings
	Samba servers configured with the embedded heimdal KDC and running as an ADDC
	 now support "Windows Strong and Flexible key mappings" as outlined in
	 Microsoft KB5014754: Certificate-based authentication changes on Windows domain
	 controllers.
	The default enforcement mode ("full") allows only strong certificate
	 mappings. The smb.conf option
	    strong certificate binding enforcement = compatibility
	will allow weak mappings where the certificate is newer than the user
	 account. The option "none" will allow any mappings.
	The mappings for an account should be placed in the altSecurityIdentities
	 attribute and follow the syntax documented in KB5014754.
Kerberos PKINIT SID extension
	PKINIT authentication now supports certificates containing an Object SID
	 extension (extension 1.3.6.1.4.1.311.25.2), this is considered to be a STRONG
	 mapping for KB5014754.
	The computer and user samba-tool commands have a new sub-command
	 "generate-csr" to generate certificate signing requests.
KDC includes PAC by default
	Samba will ignore the value provided by the client in "PA-PAC-REQUEST"
	 and always include a PAC in responses, unless "kdc always generate
	 pac" is set to "no".
KDC can insist clients request canonicalization
	Canonicalization of principal client names is not mandatory in
	 Kerberos (per RFC4120), but must be requested by the client. In some
	 circumstances allows a client to deceive Active Directory member
	 servers (known as the "dollar ticket" attack).
	The new configuration option "kdc require canonicalization" can be
	 used to require that clients request canonicalization; if they do not,
	 their AS_REQ requests will be rejected as if the account was unknown.
	The default value is "no", for backward compatibility. Windows clients
	 will ask for canonicalization by default, so in Windows-heavy
	 environments it is safe and recommended to set this to "yes".
KDC can avoid potentially confusing canonicalization
	Currently when the client does not request canonicalization, when the
	 KDC looks up a name and there is no match it will append a "$" to the
	 name and try again. An attacker who can create arbitrary machine
	 accounts can sometimes get tickets for Unix users by mimicking their
	 names (the "dollar ticket" attack).
	The configuration option
	    kdc name match implicit dollar without canonicalization = no
	 can be used to disable this behaviour for clients that do not request
	 canonicalization. Probably this only affects traditional Unix clients,
	 as Windows clients use canonicalization. If affected clients want a
	 ticket for a machine account, they will have to use the full name
	 including the dollar (e.g. "server$", not "server").
	If the "kdc require canonicalization" option cannot be set to "yes"
	 (because some clients do not request canonicalization) setting this
	 option to "no" is a good alternative.
KDC provides Kerberos acceptors with canonical client names
	By default the KDC will now send Kerberos services the canonicalized
	 name (the sAMAccountName from the PAC) rather than trusting the cname.
	To return to the old behaviour, use
	    krb5 acceptor report canonical client name = no
	 in the smb.conf.
	This currently affects Heimdal KDC only, not MIT.
KDC recommended configuration:
	strong certificate binding enforcement                            full
	kdc always include pac                                            yes
	kdc require canonicalization                                      yes
	If unable to use "kdc require canonicalization" = "yes", then
	"kdc name match implicit dollar without implicit canonicalization" should be
	set to "no" if possible.
samba tool
	Two new sub-commands have been added to the user and computer commands:
	user|computer generate-csr
	    Generate a Certificate signing request for an account containing the
	    Object SID extension  (extension 1.3.6.1.4.1.311.25.2)
	user|computer keytrust
	   Add the public key details of a self signed certificate to an account.
	   The command supports PEM and DER encoded public keys.
New AIO rate-limiting VFS module
	A new VFS stackable module has been introduced to implement rate-limiting for
	asynchronous I/O operations. Administrators can now enforce throughput ceilings
	by defining limits in either operations per second or bytes per second. The
	module utilizes a token-based algorithm to calculate real-time I/O load; when
	limits are exceeded, it dynamically injects millisecond delays into async
	operations to maintain the defined threshold.
CephFS FSCrypt support for the VFS ceph_new module
	The ceph_new VFS module can now make use of the FSCrypt feature recently added
	to CephFS. This enhancement enables data and file name encryption on a per
	share basis. A single CephFS file system may host a mix of encrypted and
	unencrypted directories.
	To obtain the encryption keys needed for FSCrypt the ceph_new module includes
	support for the Keybridge protocol. Keybridge is an RPC protocol based on
	Varlink that can retrieve keys from a local service via a UNIX socket. Users
	can choose to develop a custom Keybridge implementation or use the existing
	KMIP-compatible Keybridge server available as part of the sambacc project
	(https://github.com/samba-in-kubernetes/sambacc).
Domain encryption types changed to AES by default
	The default value of the smb.conf option â€˜kdc default domain supported enctypesâ€™
	now corresponds to â€˜aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96â€™ (both AES
	encryption types) if the domain functional level is 2008 or higher. This
	addresses CVE-2026-20833.
smb.conf changes
  Parameter Name                          Description     Default
  strong certificate binding enforcement  New             full
  certificate backdating compensation     New             0
  kdc always include pac                  New             yes
  kdc require canonicalization            New             no
  kdc name match implicit dollar without canonicalization
                                          New             yes
  kdc default domain supported enctypes   New default     AES encryption types (if supported by domain)
bugfixes
   * BUG 16019: incorrect behavior on rpcclient enumport with rpcd_spoolss
   * BUG 16001: altSecurityIdentities X509 issuer DN order is reversed
   * BUG 16000: vfs_aio_ratelimit: introduce burst-aware and persistent state
     model
4.24.0rc3
   * BUG 15990: No function _python_sysroot defined
   * BUG 15978: leases torture test flappy
   * BUG 15984: smbd: in contend_dirleases() don't bother checking when not
     enabled
   * BUG 15993: 'net ads kerberos kinit' should use also default ccache name
     from krb5.conf
   * BUG 15789: "use-kerberos=desired" broken
   * BUG 15975: source3/libads/kerberos.c sets wrong failure for negative
     connection cache
   * BUG 15938: CTDB's statd_callout fails on sm-notify
   * BUG 15939: CTDB statd_callout_notify notifies unnecessary clients and loses
     their state
   * BUG 15939: CTDB statd_callout_notify notifies unnecessary clients and loses
     their state
   * BUG 15998: Backport domain default AES encryption types to 4.24
4.24.0rc2
   * BUG 15979: possible memory leak  on rpc_spoolss
   * BUG 15972: Winbind group resolution failure
   * BUG 15979: possible memory leak  on rpc_spoolss
   * BUG 15977: ctdbd socket documentation is wrong
   * BUG 15976: time_t related build failure on 32bit arch in 4.24.0rc1

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/rootfiles/packages/aarch64/samba | 17 +++++++++++++++++
 config/rootfiles/packages/riscv64/samba | 17 +++++++++++++++++
 config/rootfiles/packages/x86_64/samba  | 17 +++++++++++++++++
 lfs/samba                               |  6 +++---
 4 files changed, 54 insertions(+), 3 deletions(-)

Message ID	20260428121111.1146161-11-adolf.belka@ipfire.org
State	Staged
Commit	bffaf22289618289f2707bd645640d8c48eb71d5
Headers	From: Adolf Belka <adolf.belka@ipfire.org> To: development@lists.ipfire.org Cc: Adolf Belka <adolf.belka@ipfire.org> Subject: [PATCH] samba: Update to version 4.24.1 Date: Tue, 28 Apr 2026 14:11:11 +0200 Message-ID: <20260428121111.1146161-11-adolf.belka@ipfire.org> In-Reply-To: <20260428121111.1146161-1-adolf.belka@ipfire.org> References: <20260428121111.1146161-1-adolf.belka@ipfire.org> Precedence: list Sender: <development@lists.ipfire.org> Mail-Followup-To: <development@lists.ipfire.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit
Series	samba: Update to version 4.24.1 \| samba: Update to version 4.24.1

samba: Update to version 4.24.1

Commit Message

Patch