STF Project Overview

1.1 Security Enhancement: MS-NRPC Netlogon security hardening (ETA: 2024-11-03)
Upcoming Windows versions will have new features to protect the communication with domain controllers as well as between domain controllers. They will use kerberos instead of relying on custom crypto. Samba needs to implement these with their client and server aspects.

Published:
dcerpc client security context multiplexing
gitlab.com/samba-team/samba/-/merge_requests/3803
winbindd related optimizazions when connecting to a DC
gitlab.com/samba-team/samba/-/merge_requests/3824
dcerpc server auth_len pad
gitlab.com/samba-team/samba/-/merge_requests/3812
Capabilities level=2
gitlab.com/samba-team/samba/-/merge_requests/3189
gsskrb5: let GSS_C_DCE_STYLE imply GSS_C_MUTUAL_FLAG as acceptor
gitlab.com/samba-team/samba/-/merge_requests/3839
Preparation work for netr_ServerAuthenticateKerberos
gitlab.com/samba-team/samba/-/merge_requests/3878
Add server support for netr_ServerAuthenticateKerberos
gitlab.com/samba-team/samba/-/merge_requests/3879
Add client support for ServerAuthenticateKerberos
gitlab.com/samba-team/samba/-/merge_requests/3881
 
1.2 Security Enhancement: SID Filtering (ETA: 2025-01-28)
Security Identifier (SID) filtering in Active Directory is a security measure that restricts the use of SIDs from less trusted domains to prevent unauthorized access to resources in more trusted domains, especially in multi-domain forest environments with trust relationships. While this is mostly a domain controller feature, it's also important for domain members. User and device claims also need to be transformed at the security boundaries.

Published:
Implement sid filtering and selective authentication
gitlab.com/samba-team/samba/-/merge_requests/2864
lib/util: add dns_cmp() as it's own file
gitlab.com/samba-team/samba/-/merge_requests/3936
auth: remember the origin of sids from the PAC
gitlab.com/samba-team/samba/-/merge_requests/3938
invalid and unsupported trust types and let winbindd reload trusts completely
gitlab.com/samba-team/samba/-/merge_requests/3939
some drsblobs.idl, drsuapi.idl and security.idl updates
gitlab.com/samba-team/samba/-/merge_requests/3912
add basic infrastructure for claims transformation parsing [MS-CTA]
gitlab.com/samba-team/samba/-/merge_requests/3953
s3:tldap: cleanups
gitlab.com/samba-team/samba/-/merge_requests/3957
auth: remember the origin of sids from the PAC
gitlab.com/samba-team/samba/-/merge_requests/3940
winbindd: move dead code into a comment
gitlab.com/samba-team/samba/-/merge_requests/3955
add forest trust scanner background tasks and implement pass-through domain name validation
gitlab.com/samba-team/samba/-/merge_requests/3942
s4:kdc: a lot of cleanups and simplifications to prepare sid filtering and selective auth
gitlab.com/samba-team/samba/-/merge_requests/3967
python:tests/krb5: preparations for testing sid filtering
gitlab.com/samba-team/samba/-/merge_requests/3973

The SMB protocol, originally developed by IBM, was significantly further developed by Microsoft. Even though the Samba team has been carrying out independent software development for the open source implementation under Linux since 1992, it is an important part of the team's task to ensure interoperability with the Microsoft implementation. The following two important milestones have been written down for this purpose.

2.1 Fileserver Feature: SMB3 Directory Leases (ETA: 2024-12-24)
Allow clients to establish leases on directories, enabling improved caching and reduced network overhead for operations involving directory metadata, which can enhance performance and responsiveness when working with shared files and folders. Also the data model to store the relevant meta data needs to be improved. This task includes research and testing against Windows, as well as writing tests.
Published:
https://gitlab.com/samba-team/samba/-/merge_requests/3842

2.2 Fileserver Feature: Transparent Failover / Persistent Handles (ETA: 2025-12-24)
Allow for seamless and uninterrupted file access by transparently redirecting clients to an available server in the event of a server failure, ensuring data continuity and high availability. Build infrastructure in the fileserver to support the related protocol flags for directory leases. Also the data model to store the relevant meta data. This task includes research and testing against Windows, as well as writing tests. The team may provide a database layer with per record persistance in addition.

Samba needs to provide enhanced support for interoperability between Windows and Unix-like operating systems, enabling better handling of Unix-specific file attributes, permissions, and symbolic links when accessing files and directories over a network. The linux kernel smb client will be the initial consumer, but in future others like MacOS clients may also implement it. For the linux kernel client it aims to provide semantics like a local filesystem.

3.1 SMB3 UNIX Extensions: Regression tests and server adjustments (ETA: 2025-03-07)
Regression tests and server adjustments are crucial for maintaining the stability and performance of Samba. Regression tests ensure that recent changes or updates in the codebase do not introduce new bugs or issues. Server adjustments involve fine-tuning server configurations to optimize performance, enhance security, and handle increased traffic loads. Together, these practices help ensure that the software runs smoothly and efficiently, providing a reliable experience for users.

Published: 
Linux kernel commit 6a832bc8bbb22350f7ffe6ecb2d36f261bb96023 fs/smb/client: Implement new SMB3 POSIX type
Small step towards better reparse point support
gitlab.com/samba-team/samba/-/merge_requests/3626
Start support reparse points
gitlab.com/samba-team/samba/-/merge_requests/3619
list reparse tags in query_directory
gitlab.com/samba-team/samba/-/merge_requests/3658
Some cleanups and a small fix for reparse points
gitlab.com/samba-team/samba/-/merge_requests/3689
Simplify symlink_target_path() plus a few cleanups
gitlab.com/samba-team/samba/-/merge_requests/3701
Show special files as NFS reparse points
gitlab.com/samba-team/samba/-/merge_requests/3716
Enable chmod over smb311 posix extensions in smbclient
gitlab.com/samba-team/samba/-/merge_requests/3749
Return the file type as part of the PosixPerms field in the posix create context reply and the query_dir infolevel
gitlab.com/samba-team/samba/-/merge_requests/3806
Sanitize our use of openat
gitlab.com/samba-team/samba/-/merge_requests/3867
smbd: Remove non_widelink_open()
gitlab.com/samba-team/samba/-/merge_requests/3868
Cleanups, mainly path handling
gitlab.com/samba-team/samba/-/merge_requests/3927
Enable SMB3 UNIX Extensions by default
gitlab.com/samba-team/samba/-/merge_requests/3989
 

3.2: SMB3 UNIX Extensions: Write protocol documentation (ETA: 2026-02-27)
There are already prototypes for the protocol documentation, but they need to be completed. They should be in form similar to the existing SMB2/3 documentation from Microsoft and in most parts explain where the behaviour differs between clients with SMB3 UNIX Extensions and clients without them.

3.3: SMB3 UNIX Extensions: Improve Linux desktop environments (ETA: 2025-06-21)
Development needs to be done to enhance the libsmbclient library provided by Samba and use it in Gnome VFS libsmbclient is used in the GNOME VFS as well as the corresponding KDE counterpart to access file systems exported by SMB servers. This libsmbclient must be extended to implement the smb3 unix extensions to provide a more seamless integration into Linux desktop environments.

Published: 
smb: Make smb backend's "stat" call use smb311 posix extensions
gitlab.gnome.org/GNOME/gvfs/-/merge_requests/269
Make FSCC_FILE_POSIX_INFORMATION available through the published libsmb-
client API
gitlab.com/samba-team/samba/-/merge_requests/4080
libsmbclient cleanups
gitlab.com/samba-team/samba/-/merge_requests/4046
smbd: Remove the "posix_pathnames" global variable
gitlab.com/samba-team/samba/-/merge_requests/4043

io_uring is a Linux kernel interface designed to improve asynchronous I/O operations, offering lower latencies and higher performance. It allows applications to submit multiple I/O requests in a single system call, reducing overhead and improving efficiency. Samba team will enhance performance with efficient and scalable I/O operations by using Linux io_uring.

4.1 io_uring support: Integrate io_uring vfs module (ETA: 2025-11-26)
Integrating the existing io_uring vfs module into the default io_uring should replace the custom userspace threadpool for async io and it should interact with preadv2(RWF_NOWAIT) for small io in order to keep the latency low in the optimal case.

4.2 io_uring support: Integrate io_uring into the socket io path (ETA: 2025-12-19)
Currently raw sendmsg(MSG_DONTWAIT) and recvmsg(MSG_DONTWAIT) are used for socket io, which means the main thread cpu bound during the memcpy inside the kernel. With IORING_OP_SENDMSG/IORING_OP_RECVMSG we can delegate the memcpy into helper threads for large messages. With IORING_OP_SENDMSG_ZC we could even avoid the cost completely if the network stack supports it.

4.3 io_uring support: Full zero copy with IORING_OP_SPLICE (ETA: 2026-02-21)
If no SMB signing is used (e.g. where clients are in an isolated network) maximal performance is desired. Currently we have support for sendfile() support in the direction to the client, but that may still blocks the main thread. With IORING_OP_SPLICE we are more flexible as the 2nd step via pipe is excplicit and allows better interaction with the typical message flow.

QUIC introduces an alternative to the TCP network transport, providing secure, reliable connectivity to edge file servers over untrusted networks like the Internet, an "SMB VPN" for telecommuters, mobile device users, and high security organizations. The SMB protocol needs to support QUIC and this milestone is about this work.

5.1 SMB over QUIC: Generic support of the linux kernel driver (ETA: 2025-02-19)
In addition to tcp ports 445 and 139 Samba's smbd should also listen on QUIC port udp port 443. This builds on top of https://github.com/lxin/quic, which is a linux kernel QUIC driver with a small userspace library. We need to adjust some code that expects tcp/ip address and port ranges.

Published:
Implement SIGPIPE/MSG_NOSIGNAL for quick_sendmsg / ignore MSG_BATCH
https://github.com/lxin/quic/pull/26 
Using select() in library code can lead to unexpected problems.
https://github.com/lxin/quic/pull/27 
let libquic avoid logging by default
https://github.com/lxin/quic/pull/31 
introduce and check QUIC_CRYPTO_SECRET_BUFFER_SIZE
https://github.com/lxin/quic/pull/32 
Preparations for an async handshake
https://github.com/lxin/quic/pull/33 
tests: let sample_test use the following protocols default,v1,v2
https://github.com/lxin/quic/pull/35 
libsmb: prepare for 'client smb transports' in order to add 'quic' later
https://gitlab.com/samba-team/samba/-/merge_requests/4017 
Draft: Implement SMB over QUIC for smbd and smbclient
https://gitlab.com/samba-team/samba/-/merge_requests/4019 


5.2: SMB over QUIC: Inject QUIC support into socket_wrapper (ETA: 2025-03-13)
For automated tests it's important to avoid real kernel sockets. socket_wrapper simulates tcp and udp sockets on top of unix domain sockets. We should allow socket wrapper to have additional plugins, and we could try to simulate the QUIC kernel interface using the userspace driver from https://github.com/ngtcp2/ngtcp2

Published:
async_sock: try sendmsg()/recvmsg first (non-blocking)
https://gitlab.com/samba-team/samba/-/merge_requests/4033 
add helper support for quic_ko_wrapper
https://gitlab.com/cwrap/socket_wrapper/-/merge_requests/46 
Draft: Implement quic_ko_wrapper in order to test quic without kernel support
https://gitlab.com/samba-team/samba/-/merge_requests/4035 

5.3 SMB over QUIC: Native userspace quic driver (ETA: 2025-04-04)
Directly use the userspace quic driver from https://github.com/ngtcp2/ngtcp2 as fallback for older kernels in order to implement smb client side support.

Published:
s4:torture/smb2: let smb2.bench tests start the loop only when everything is ready
https://gitlab.com/samba-team/samba/-/merge_requests/4051 
smbtorture: make sure talloc destructors run safely before torture->ev is destroyed.
https://gitlab.com/samba-team/samba/-/merge_requests/4044 
libcli/smb: introduce smbXcli_transport abstraction as a very thin layer
https://gitlab.com/samba-team/samba/-/merge_requests/4045 
socket_wrapper: add SOCKET_WRAPPER_ALLOW_DGRAM_SEQPACKET_-
FALLBACK support
https://gitlab.com/cwrap/socket_wrapper/-/merge_requests/48 
Implement quic client using ngtcp2 in userspace
https://gitlab.com/samba-team/samba/-/merge_requests/4055 
third_party: Update socket_wrapper to version 1.5.1
https://gitlab.com/samba-team/samba/-/merge_requests/4059 

5.4 SMB over QUIC: SMB2_TRANSPORT_CAPABILITIES negotiation (ETA: 2025-08-23) 
This allows a SMB client to avoid double encryption using TLS (injected by QUIC) for the transport and user level encryption using various aes flavours based on kerberos/ntlmssp authentication.

Published:
Add support for MS-SMB2 2.2.3.1.5 SMB2_TRANSPORT_CAPABILITIES
https://gitlab.com/samba-team/samba/-/merge_requests/4182

The following milestones in this group are all about performance of the SMB protocol: Enable high-speed, low-latency data transfer by leveraging Remote Direct Memory Access (RDMA) technology for direct communication between client and server network adapters without involving the CPU, enhancing performance and efficiency.

6.1 SMB direct: SMB direct socket layer for the Linux kernel (ETA: 2025-08-11)
There is some smb direct support in the linux kernel already, but it's not exposed to userspace. Instead of having multiple implementation the code should be consolidated and be used within the kernel, but also be exported to userspace to that Samba's smbd, libsmbclient
can also use it.

This will also make it possible to write regression and performance tests just for the smbdirect transport layer instead of relying on functional tests with SMB3 clients and servers.

Published:

smb:common: introduce and use common smbdirect headers/structures (step1)
https://lore.kernel.org/linux-cifs/cover.1748446473.git.metze@samba.org/T/#t (8 patches)
=> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/?id=cc55f65dd352bdb7bdf8db1c36fb348c294c3b66 

smb: client: fix max_sge overflow in smb_extract_folioq_to_rdma()
https://lore.kernel.org/linux-cifs/cover.1750264849.git.metze@samba.org/T/#m486ee2031fecab47d3e8e54e843b7116e45ee1fc 
=> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a379a8a2a0032e12e7ef397197c9c2ad011588d6 

smb: client: let smbd_post_send_iter() respect the peers max_send_size and transmit all data
https://lore.kernel.org/linux-cifs/31a6b9ce-9839-41d4-8b22-3d3c4db95e2c@talpey.com/T/#t 
=> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1944f6ab4967db7ad8d4db527dceae8c77de76e9 

smb: client: remove \t from TP_printk statements
https://lore.kernel.org/linux-cifs/CAH2r5mvewQhsrpVaj=2oyTjNT1WWTGr0FoN6PikKOqUqi5MCHw@mail.gmail.com/T/#t 
=> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e97f9540ce001503a4539f337da742c1dfa7d86a 

smb: server: make use of rdma_destroy_qp()
https://lore.kernel.org/linux-cifs/20250702071805.2540741-1-metze@samba.org/T/#u 
=> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0c2b53997e8f5e2ec9e0fbd17ac0436466b65488   

iwarp-mpa: add dissection for MPA v2 message and legacy IRD/ORD negotiation
https://gitlab.com/wireshark/wireshark/-/merge_requests/21004 
=> https://gitlab.com/wireshark/wireshark/-/commit/9674b8498ca5269bb99fb79918a0defc9f8739ae 

iwarp-mpa: make iwarp_mpa available to tcp.port decode-as
https://gitlab.com/wireshark/wireshark/-/merge_requests/21115 
=> https://gitlab.com/wireshark/wireshark/-/commit/2c44443d8fa4db7fd34044762c2435d4ad407175

smb:client: fix possible use after free problems
https://lore.kernel.org/linux-cifs/cover.1754308712.git.metze@samba.org/T/#t (5 patches) 
=> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/?id=24eff17887cb45c25a427e662dda352973c5c171

smb:server: fix possible use after free problems
https://lore.kernel.org/linux-cifs/cover.1754309565.git.metze@samba.org/  (4 patches)
=> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/?id=a6c015b7ac2d8c5233337e5793f50d04fac17669

smb: smbdirect/client/server: make use of common structures
lore.kernel.org/linux-cifs/cover.1756139607.git.metze@samba.org/T/  + some more patches  (159 patches)
=> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/?id=1b53426334c3c942db47e0959a2527a4f815af50  

In Review:
[PATCH v2 000/127] smb: smbdirect/client/server: moving to common functions and smbdirect.ko
https://lore.kernel.org/linux-cifs/cover.1761742839.git.metze@samba.org 

6.2 SMB direct: SMB Direct support in smbd and smbclient (ETA: 2025-10-14)
The integration of SMB Direct support in smbd and smbclient - the server and client - would also mean we will be able to write perform regression tests. We will also implement signing and encryption for the raw data transfer.

6.3 SMB direct: Add automated SMB Direct functional testing (ETA: 2026-02-28)
For automated tests it's important to avoid real kernel sockets. socket_wrapper simulates tcp and udp sockets on top of unix domain sockets. We will allow socket wrapper to have additional plugins, similar to QUIC we will simulate the SMB Direct kernel interface. If it turns out to be too complex to add to socket_wrapper, we will alternatively use network namespaces.