Blog

(Last Update: July 8)

Please note: Updated packages are available

On July 8, Microsoft will release an important security update for Active Directory Domain Controllers for Windows Server versions prior to 2025.

This update modifies the Microsoft RPC Netlogon protocol to improve security by tightening access checks for a set of RPC requests. Samba running as domain members in these environments will be impacted by this change if a specific configuration is used. See below for details on the affected configurations.

Windows Server version 2025 is already equipped with these specific security hardenings. Microsoft plans to deploy them to all supported Windows Server versions down to Windows Server 2008. 

Who is affected?
Samba installations that act as member servers in Windows AD domains will be affected if they are configured to use the 'ad' idmapping backend. Samba servers that do not use this configuration will not be affected by the change – at least according to our current knowledge and understanding – and no further action is required.

However, current versions of Samba with the affected configuration will no longer function correctly once the Microsoft update has been applied. Users will not be able to connect to the SMB service provided by Samba for any domain that uses the ‘ad’ idmapping backend.

What is SerNet doing?
The SAMBA+ team at SerNet, along with other members of the international Samba team, has been collaborating with Microsoft. Changes to Samba are currently being developed and tested to ensure full compatibility between Samba and Microsoft products. The Samba team aims to release updated packages on Monday evening (UTC+2).

Updated SAMBA+ packages, which will restore full compatibility, are planned to be made available before Microsoft's rollout.

What you should do:

• Check your configuration if you’re running Samba in a Windows AD environment.
• Watch out for new SAMBA+ package updates early next week (starting July 7th) .
• Apply the update before Microsoft’s rolls out the patch.

All SAMBA+ updates are included in active subscriptions.

If you do not yet have a subscription, visit the SAMBA+ shop (EUR) or SAMBA+ shop (USD) for access.

For any questions or individual support, feel free to contact us directly – our team is here to help.

With Samba version 4.22, support for “reflink copies” has been extended. Reflink stands for Reference Links: a feature that significantly speeds up the copying of large files by creating only references to data blocks on supporting file systems.

The feature was developed by the Samba team at SerNet GmbH in close cooperation with storage manufacturer FAST LTA, who commissioned the implementation. The aim was to fulfill an essential step so that storage systems such as FAST LTA's Silent Bricks can also support Veeam's Fast Clone feature for SMB access under Linux.

Technical background

“Reflink copies” use features of modern file systems such as Btrfs, XFS, ZFS, or ReFS to make data duplication more efficient. With SMB-based access, clients can use SMB protocol features for “reflink copies,” provided that the server and its file system support this. Previously, support in Samba was limited to the Btrfs file system.

In Samba 4.22, general support is now enabled for all file systems that support the “reflink copies” functionality – by using the generic Linux ioctl FICLONERANGE. This enables the use of backup software such as Veeam, which regularly creates complete or differential copies of large amounts of data, with file systems other than Btrfs, ZFS, and XFS. Thanks to the extension in Samba, Linux-based SMB backends – such as those provided by FAST LTA with the Silent Bricks storage system – can now also support Veeam's Fast Clone. This significantly improves performance for so-called “forever incremental” and “synthetic full” backups. The result is a reduction in storage requirements, I/O load, and backup times.

Upstream tops proprietary

The technical implementation was carried out by the Samba team at SerNet lead by Ralph Böhme, who has been working on central components of the project for many years as a member of the Samba Core Team. The code has been fully integrated upstream and is now part of the official Samba release series 4.22.

“For us, it is an important signal when manufacturers such as FAST LTA specifically focus on the further development of open source components,” says Ralph Böhme. “Such contributions not only strengthen the functionality of individual systems, but also the sustainability and openness of the overall architecture.”

Christian Rogg, lead developer at FAST LTA, is enthusiastic about the collaboration with SerNet: “It started out as just an idea. The implementation with SerNet was extremely professional, and the results are impressive. Veeam users now save up to 50% in storage capacity and backup time with Fast Clone Support with Silent Bricks.”

Joint development initiatives

As part of its development services, SerNet offers specific enhancements and customizations of Samba – especially for manufacturers, OEMs, and operators of complex infrastructures. The aim of such collaborations is to combine individual requirements with open source practice: Developments are designed transparently, implemented with technical expertise, and merged into the official Samba source code base for the benefit of Samba users worldwide

Contact us for more development opportunities with SerNet!

What is probably the world's first productive setup of Samba and Linux clients with SMB3 UNIX Extensions is now up and running at Frankfurt University of Applied Sciences (UAS). Björn Jacke from the SerNet Samba team recently worked with colleagues from the university's IT department to equip the Samba server and connected Linux clients with this new feature for academic purposes.  

Frankfurt UAS had consciously decided not to use dual protocols SMB and NFS. Instead, it now relies on uniform integration with SMB3: Samba's rights and sharing management offers much greater flexibility and easier administration. Without the Unix Extensions, students using Linux workstations were previously restricted in that symlinks or Unix commands such as chmod did not behave as they would on a typical POSIX/Linux system. The operations could not be mapped directly via the SMB protocol. Jacke: “With the new SMB3 UNIX Extensions, Linux clients now work perfectly with SMB mounts from Samba servers, enabling optimal integration without compromise. This makes studying at Frankfurt University even more enjoyable for students.”

Samba 4.22 with SMB3 Unix Extensions

The SMB3 UNIX Extensions feature is available since Samba version 4.22, which was released in April 2025. The topic also dominated this year's sambaXP and can be reviewed in several recordings published on the SAMBA+ YouTube channel.

SerNet has already incorporated some additional features into the current SAMBA+ packages, which will only be part of Samba from version 4.23 onwards in fall 2025.

SerNet: Worldwide partner for Samba projects

Support – remote or directly onsite – is part of the core business of SerNet's Samba team. The team supports companies and organizations in setting up, maintaining, and optimizing Samba infrastructures. The project implementation in Frankfurt shows how practical know-how and technological development come together at the customer's site.

How can we assist you with your Samba environment?

SerNet offers professional assistance with all questions relating to Samba, SMB, and Active Directory – from planning and implementation to ongoing support and development projects. Find out more about our services or contact us directly.

The Samba team at SerNet has completed two key milestones in the ongoing development of SMB over QUIC for Samba. The technology  promises secure, high-performance access to file servers across untrusted networks. These developments are part of the project funded by the Sovereign Tech Agency (STA). The STA supports critical open-source infrastructure to strengthen digital sovereignty and resilience.

Milestone 5.1: Enable QUIC transport in Samba smbd

Samba now supports listening on UDP port 443, enabling a QUIC-based alternative to traditional TCP connections (ports 445 and 139). The groundwork integrates the Linux kernel QUIC driver lxin/quic into Samba's networking logic. This allows Samba to act as a secure “SMB VPN”, ideal for remote work, mobile access, and high-security scenarios.

Milestone 5.2: Enable QUIC testing via socket_wrapper

Testing QUIC implementations without relying on real network interfaces is crucial for fast, automated validation. The team extended socket_wrapper, a tool that emulates network sockets over Unix domain sockets, to simulate QUIC communication using the ngtcp2 userspace library. This approach allows developers to test SMB over QUIC under controlled conditions without kernel dependencies.

With these two milestones, Samba takes a significant step toward full SMB over QUIC support, offering a modern, secure transport layer for the next generation of file services. 

Learn more about the full project and its milestones: https://samba.plus/stf-project

All presentations from sambaXP 2025 are now accessible at YouTube, featuring hours of valuable content and expertise in Samba, open-source technologies and much more. Dive into the latest insights shared at the recent on-site conference, held at Hotel Freizeit In in Göttingen from April 7–8.

One highlight of this year's event was the keynote by Mirko Swillus from the Sovereign Tech Agency (STA). He addressed the necessity and complexities of maintaining digital infrastructure, drawing parallels to physical infrastructure: "Digital infrastructure maintenance resembles the upkeep of roads and bridges. It’s crucial yet often invisible. The Sovereign Tech Agency exists precisely to ensure the sustainability of these fundamental building blocks of our digital society."

Swillus further emphasized international collaboration, stating: "Open source doesn't have borders; it’s a global phenomenon. We must work collectively to sustain these critical resources." And that's exactly what STA does whith its Sovereign Tech Fund. For example, STA currently funds a major Samba project managed by SerNet GmbH. The initiative focuses on enhancing Samba’s security, scalability, and functionality.

Thanks to all speakers and to this year’s sponsors for their support, enabling another successful sambaXP.

Missed the event or want to revisit your favorite sessions? Start exploring the sambaXP 2025 playlist today!

And stay tuned for updates on sambaXP 2026 at sambaxp.org.