Blog

smb3posix.org

The SMB3 POSIX Extensions now have a dedicated home. At smb3posix.org, developers can access version 1.0.0 of the SMB3 POSIX Specification.

The new website is the culmination of work that began more than a decade ago: since roughly 2015 various members of the Samba and Linux kernel community have been working together to design, implement, and document the SMB3 protocol extensions with the goal of providing first-class POSIX compatibility over SMB3. With a recent Linux kernel and a server implementing the extensions, network shares can preserve POSIX filesystem semantics such as case-sensitive paths, Unix mode bits, symbolic linksm, and hard links. Samba has provided the server reference implementation since version 4.22; the extensions have been enabled by default since 4.23.

Version 1.0.0 represents the first complete specification by documenting not only the protocol extensions themselves, but also the filesystem semantics that distinguish POSIX systems from Windows and how those semantics are represented on the wire.

Although implementations of the SMB3 POSIX Extensions had already been shipping in several open-source SMB clients and servers, the work uncovered subtle POSIX behaviors that still needed to be specified and, in some cases, implemented before the specification could be considered complete.

The foundation for that work was laid in a project funded by the German Sovereign Tech Agency. The project addressed SMB3 POSIX Extensions at several levels: server adjustments and regression tests, client support through libsmbclient for Linux desktop environments, and a dedicated project for completing the protocol documentation.

The funding provided time for this work: making explicit behaviour historically implemented in Samba and the Linux kernel as part of the older CIFS UNIX Extensions; documenting how POSIX semantics differ from Windows semantics; and specifying how this information is transmitted between systems over the network.

The resulting specification consists of three documents:

  • POSIX-SMB2 defines SMB protocol semantics.
  • POSIX-FSA defines POSIX filesystem semantics and where they differ from Windows.
  • POSIX-FSCC defines filesystem information classes and their on-the-wire representations.

SerNet's Samba Team Lead Ralph Böhme worked on this documentation in his role as a member of the international Samba Team. After completing the funded milestone, he also created smb3posix.org to provide a permanent home for the specification and make it more accessible to developers. In September, Ralph will present the work at the SNIA Storage Developer Conference in his talk “SMB3 POSIX Extensions, from plumbing to flowing.”

Anyone who has had to implement a protocol from incomplete documentation knows the difference this makes. The specification and its new home provide a clear reference for anyone implementing SMB3 POSIX support.


SAMBA+ 4.24.4 has been released by SerNet and is now available for SUSE and Red Hat platforms, Debian GNU/Linux, Ubuntu, and AIX. It is the latest stable release of the Samba 4.24 series.

This release addresses several issues reported since Samba 4.24.3, most of them affecting Active Directory, in particular domain trusts. All fixes are documented in the official release notes:

As usual, the new packages are included in existing SAMBA+ subscriptions and can be obtained via the SAMBA+ shops:

If you have questions, need help with an upgrade, or would like a quote, contact the SAMBA+ team at SerNet.


SAMBA+ 4.23.9 has been released by SerNet and is now available for SUSE and Red Hat platforms, Debian GNU/Linux, Ubuntu, and AIX.

This release addresses several issues. All fixes are documented in the official release notes:  https://www.samba.org/samba/history/samba-4.23.9.html

Please note: when upgrading from a SAMBA+ version older than 4.21 on Debian or Ubuntu systems, and if you use custom or third-party scripts that rely on Samba's Python modules, the additional package sernet-samba-python3 must be installed after upgrading to SAMBA+ 4.23. RHEL- and SUSE-based systems are not affected.

As usual, the new packages are included in existing SAMBA+ subscriptions and can be obtained via the SAMBA+ shops:

If you have questions, need help with an upgrade, or would like a quote, contact the SAMBA+ team at SerNet.


SAMBA+ 4.24.3, 4.23.8 and 4.22.10 packages have just been released by SerNet. These are important security releases, please update affected systems as soon as possible. The packages are available for various SUSE and Red Hat platforms as well as for Debian GNU/Linux, Ubuntu and AIX.

The packages address the following issues:

Instructions for package access and upgrading are available in the SAMBA+ How-to collection. If you are upgrading from a SAMBA+ version older than 4.21 and use your own or third-party scripts that rely on Samba’s Python modules, you must install the sernet-samba-python3 package after upgrading on Debian or Ubuntu systems. RHEL and SUSE-based systems are not affected.

SAMBA+ packages are available as software subscriptions in the SAMBA+ shops:

For further questions or to request a quote, please contact us.


Success Story: Samba AD meets Entra ID


It started with a straightforward architecture decision: keep identity on-prem under your control while still using Microsoft 365 in the cloud. 

That’s the challenge Qudora Technologies GmbH brought to SerNet. QUDORA is a leading full-stack quantum computing company based in Germany. The company’s proprietary Near-Field Quantum Control (NFQC®) technology brings together ultra precise qubit control with very long coherence times significantly improving the performance per qubit. QUDORA’s QC systems are designed for seamless integration with existing industrial infrastructure, including on-premise deployments for HPC centers. With operations in Braunschweig and Hamburg, QUDORA is making quantum computing accessible to a broader range of applications and industries.

Qudora approached SerNet because the Göttingen-based open-source specialist combines upstream Samba engineering with hands-on integration expertise across Samba and Microsoft environments.

Project snapshot

  • On-prem authoritative directory: Samba Active Directory Domain Controller
  • Cloud services: Microsoft 365 (Exchange Online, SharePoint, Teams)
  • Sync engine: Microsoft Entra Connect (one-way: on-prem → cloud)
  • Key requirement: Exchange-relevant attributes available and correct in Samba AD
  • Goal: Production-ready hybrid setup

Architecture: On-Prem Stays Authoritative

The core question was simple: Can a Samba AD domain synchronize cleanly to Microsoft Entra ID using Entra Connect – including the Exchange-relevant attributes.

In many real-world environments, Exchange requirements have historically pushed teams toward “just use Windows for AD,” because Exchange Online (and hybrid patterns around it) expect specific object classes and attributes.

Qudora wanted a different design that takes digitial sovereignty requirements serious: Samba AD stays the source of authority, Microsoft 365 consumes synchronized identities, and admins manage users in one place.

Schematics for a setup with Samba AD sync to Entra ID

The Engineering Core: Bringing Exchange Attributes to Samba AD

The challenge wasn’t “getting sync to run.” The challenge was meeting the schema and attribute expectations that come with Exchange.

Exchange Online commonly relies on attributes and structures such as:

  • proxyAddresses
  • mail
  • targetAddress
  • multiple msExch* attributes
  • Exchange organization objects / related classes

To meet those requirements with Samba as the only AD DC, the project required:

  1. Extending the LDAP schema in Samba AD for Exchange-relevant object classes and attributes
  2. Targeted Samba code changes so these objects were handled correctly
  3. Protocol-level troubleshooting (network traces + deep debug logs) to confirm what Entra Connect was actually requesting and how Samba responded

This is where SerNet’s team setup mattered in a very concrete way:

  • Björn Jacke (Integrator in SerNets Samba Team) led the AD-side implementation and guided the Samba AD/DC requirements.
  • Stefan Metzmacher (Samba core development) traced the behavior down to the relevant code paths and implemented the fixes.
  • Carl Massiang (Integrator in SerNets Secure Infrastructures Team) implemented the Entra Connect configuration and handled the Microsoft 365 / Exchange Online integration work.

The resulting changes were merged upstream, so the broader Samba community benefits as well.

A key point from the field: from Entra ID’s perspective, this behaved like a standard Active Directory environment. Entra “didn’t care” that the DC was Samba.

The solution in production

Once in place, the operational flow was clean and repeatable:

  1. Create/manage users in the on-prem Samba AD (the authoritative directory).
  2. Set Exchange-relevant attributes in Samba AD.
  3. Entra Connect synchronizes objects one way (on-prem → Entra ID).
  4. Microsoft 365 provisions the Exchange Online mailbox automatically based on the synchronized identity and attributes.

No on-prem Exchange server was required for this setup. No extra Windows domain was added. No double maintenance of identities. Only one Windows Member Server for the Entra Connect Sync Service is needed. 

What changed for Qudora

This implementation delivered a hybrid identity design that was:

  • single-source-of-truth (on-prem Samba AD)
  • cloud-ready for Microsoft 365 services
  • schema-correct for Exchange Online expectations
  • stable and reproducible in production

In a follow-on project with another company, the same approach was applied to a hybrid scenario involving an on-prem Exchange server, where domain controllers must evaluate certain policies correctly for Exchange objects to provision as expected. That scenario was achievable as well, building on the extended schema foundation.

Planning something similar?

If you run Samba AD and want to connect Microsoft 365 or you need to harden an existing hybrid setup, reach out to SerNet. We’ll review your directory model and schema, validate Exchange attribute requirements, design the Entra Connect architecture, and implement it end-to-end – including upstream-grade troubleshooting when the issue is deeper than configuration.

Note on digital sovereignty: Depending on your requirements, SerNet also designs and implements sovereign alternatives without Microsoft cloud services – on-prem or with European providers – especially where data residency, regulatory constraints, or risk considerations (including topics like the U.S. CLOUD Act) are part of the decision.

SerNet can do this, just reach out.


Contact us
Contact
Deutsch English Français