Hubbry Logo
Samba (software)Samba (software)Main
Open search
Samba (software)
Community hub
Samba (software)
logo
7 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Samba (software)
Samba (software)
Samba (software)
View on Wikipedia
from Wikipedia

Samba
Initial release1992; 33 years ago (1992)[1]
Stable release
4.23.3[2] Edit this on Wikidata / 7 November 2025
Repository
Written inC, Python
Operating systemMultiplatform
TypeNetwork file system
License2008: GPL-3.0-or-later[a]
1993: GPL-2.0-or-later[b]
1992: Proprietary[c]
Websitewww.samba.org

Samba is a free software re-implementation of the SMB networking protocol, and was originally developed by Andrew Tridgell. Samba provides file and print services for various Microsoft Windows clients[5] and can integrate with a Microsoft Windows Server domain, either as a Domain Controller (DC) or as a domain member. As of version 4, it supports Active Directory and Microsoft Windows NT domains.

Samba runs on most Unix-like systems, such as Linux, Solaris, AIX and the BSD variants, including Apple macOS (Mac OS X 10.2 and greater) and macOS Server. Samba also runs on a number of other operating systems such as OpenVMS and IBM i. Samba is standard on nearly all distributions of Linux and is commonly included as a basic system service on other Unix-based operating systems as well. Samba is released under the terms of the GNU General Public License. The name Samba comes from SMB (Server Message Block), the name of the proprietary protocol used by the Microsoft Windows network file system.

Early history

[edit]

Andrew Tridgell developed the first version of Samba Unix in December 1991 and January 1992, as a PhD student at the Australian National University, using a packet sniffer to do network analysis of the protocol used by DEC Pathworks server software. It did not have a formal name at the time of the first releases, versions 0.1, 0.5, and 1.0, all from the first half of January 1992; Tridgell simply referred to it as "a Unix file server for Dos Pathworks." He understood that he had "in fact implemented the netbios protocol" at the time of version 1.0 and that "this software could be used with other PC clients."[citation needed]

With a focus on interoperability with Microsoft's LAN Manager, Tridgell released "netbios for unix", observer, version 1.5 in December 1993. This release was the first to include client-software as well as a server. Also, at this time GPL2 was chosen as license.[citation needed]

Midway through the 1.5-series, the name was changed to smbserver. However, Tridgell got a trademark notice from the company "Syntax", who sold a product named TotalNet Advanced Server and owned the trademark for "SMBserver". The name "Samba" was derived by running the Unix command grep through the system dictionary looking for words that contained the letters S, M, and B, in that order (i.e. grep -i '^s.*m.*b' /usr/share/dict/words).[6]

Versions 1.6, 1.7, 1.8, and 1.9 followed relatively quickly, with the latter being released in January 1995. Tridgell considers the adoption of CVS in May 1996 to mark the birth of the Samba Team, though there had been contributions from other people, especially Jeremy Allison, previously.[7]

Version 2.0.0, released in January 1999, was a major release, including support for authentication from Windows NT Primary Domain Controller, 64 bit filesystem support for very large files, and exposure of OPLOCKS to unix systems.[citation needed] Version 2.2.0 released in April 2001.[citation needed]

Version history

[edit]
Legend:
Unsupported
Supported
Latest version
Preview version
Future version
Date Version Description
23 September 2003 Unsupported: 3.0 Active Directory support.[8] The 3.0.x series officially reached end-of-life on 5 August 2009.[9]
1 July 2008 [10] Unsupported: 3.2 It will be updated on an as-needed basis for security issues only.[11][12] There was a change of license from GPL2 to GPL3, with some parts released under LGPL3.[4] The 3.2.x series officially reached EOL 1 March 2010.[10]
27 January 2009 Unsupported: 3.3
3 July 2009 Unsupported: 3.4 This was the first release to include both Samba 3 and Samba 4 source code.[13]
1 March 2010 Unsupported: 3.5 This was the first release to include experimental support for SMB2.[14]
9 August 2011 Unsupported: 3.6 This is the first branch to include full support for SMB2.[15]
11 December 2012 Unsupported: 4.0 A major rewrite that enables Samba to be an Active Directory domain controller, participating fully in a Windows Active Directory Domain. Its first technical preview (4.0.0TP1) was released in January 2006 after 3 years of development.[16][17]
10 October 2013 Unsupported: 4.1 Support for SMB3.
4 March 2015 Unsupported: 4.2 Btrfs based file compression, snapshots and winbind integration[18]
8 September 2015 Unsupported: 4.3 New Logging features, SMB 3.1.1 support.[19]
22 March 2016 Unsupported: 4.4 Asynchronous flush requests[20]
7 September 2016 Unsupported: 4.5 NTLM v1 disabled by default, Virtual List View, Various performance improvements.
7 March 2017 Unsupported: 4.6 Multi-process Netlogon support.
21 September 2017 Unsupported: 4.7 Samba AD with MIT Kerberos.
13 March 2018 Unsupported: 4.8 Apple Time Machine Support. Setups using 'domain' or 'ads' security modes now require 'winbindd' to be running.[21]
13 September 2018 Unsupported: 4.9 Many changes.[22]
19 March 2019 Unsupported: 4.10
17 September 2019 Unsupported: 4.11 SMB1 is disabled by default as a mitigation for the WannaCry vulnerability.
3 March 2020 Unsupported: 4.12
22 September 2020 Unsupported: 4.13 Samba 4.13 raises the minimum version of Python to 3.6.
9 March 2021 Unsupported: 4.14 Major overhaul of VFS subsystem and more.[23]
20 September 2021 Unsupported: 4.15 Many changes.[24]
21 March 2022 Unsupported: 4.16 Many changes.[25]
13 September 2022 Unsupported: 4.17 Many changes.[26]
8 March 2023 Unsupported: 4.18 Many changes.[27]
4 September 2023 Unsupported: 4.19 Many changes.[28]
27 March 2024 Supported: 4.20 Many changes.[29]
2 September 2024 Supported: 4.21 Many changes.[30]
6 March 2025 Latest version: 4.22 SMB3 Directory Leases are supported, Netlogon Ping can be done over LDAP and LDAPS, experimental Himmelblau authentication for Azure Entra ID, performance improvements, nmbd proxy logon feature is removed.[31]

Security

[edit]

Some versions of Samba 3.6.3 and lower suffer serious security issues which can allow anonymous users to gain root access to a system from an anonymous connection, through the exploitation of an error in Samba's remote procedure call.[32]

On 12 April 2016, Badlock,[33] a crucial security bug in Windows and Samba, was disclosed. Badlock for Samba is referenced by CVE-2016-2118 (SAMR and LSA man in the middle attacks possible).[34]

On 24 May 2017, it was announced that a remote code execution vulnerability had been found in Samba named EternalRed or SambaCry, affecting all versions since 3.5.0.[35] This vulnerability was assigned identifier CVE-2017-7494.[35][36]

On 14 September 2020, a proof-of-concept exploit for the netlogon vulnerability called Zerologon (CVE-2020-1472) for which a patch exists since August was published.[37] Some federal agencies using the software have been ordered to install the patch.[38]

Features

[edit]

Samba allows file and print sharing between computers running Microsoft Windows and computers running Unix. It is an implementation of dozens of services and a dozen protocols, including:

  • NetBIOS over TCP/IP (NBT)
  • SMB (known as CIFS in some versions)
    • Samba supports POSIX extensions for CIFS/SMB. The initial extension was CIFS VFS (CAP_UNIX) from 2004, which has been somewhat superseded by SMB3.[39]
  • DCE/RPC or more specifically, MSRPC, the Network Neighborhood suite of protocols
  • A WINS server also known as a NetBIOS Name Server (NBNS)
  • The NT Domain suite of protocols which includes NT Domain Logons
  • Security Account Manager (SAM) database
  • Local Security Authority (LSA) service
  • NT-style printing service (SPOOLSS)
  • NTLM
  • Active Directory Logon using modified versions of Kerberos and LDAP
  • DFS server

All these services and protocols are frequently incorrectly referred to as just NetBIOS or SMB. The NBT (NetBIOS over TCP/IP) and WINS protocols, and their underlying SMB version 1 protocol, are deprecated on Windows. Since Windows Vista the WS-Discovery protocol has been included along with SMB2 and its successors, which supersede these. (WS-Discovery is implemented on Unix-like platforms by third party daemons which allow Samba shares to be discovered when the deprecated protocols are disabled).

Samba sets up network shares for chosen Unix directories (including all contained subdirectories). These appear to Microsoft Windows users as normal Windows folders accessible via the network. Unix users can either mount the shares directly as part of their file structure using the mount.cifs command or, alternatively, can use a utility, smbclient (libsmb) installed with Samba to read the shares with a similar interface to a standard command line FTP program. Each directory can have different access privileges overlaid on top of the normal Unix file protections. For example: home directories would have read/write access for all known users, allowing each to access their own files. However they would still not have access to the files of others unless that permission would normally exist. Note that the netlogon share, typically distributed as a read only share from /etc/samba/netlogon, is the logon directory for user logon scripts.

Samba services are implemented as two daemons:

  • smbd, which provides the file and printer sharing services, and
  • nmbd, which provides the NetBIOS-to-IP-address name service. NetBIOS over TCP/IP requires some method for mapping NetBIOS computer names to the IP addresses of a TCP/IP network.

Samba configuration is achieved by editing a single file (typically installed as /etc/smb.conf or /etc/samba/smb.conf). Samba can also provide user logon scripts and group policy implementation through poledit.

Samba is included in most Linux distributions and is started during the boot process. On Red Hat, for instance, the /etc/rc.d/init.d/smb script runs at boot time, and starts both daemons. Samba is not included in Solaris 8, but a Solaris 8-compatible version is available from the Samba website. The OS/2-based ArcaOS includes Samba to replace the old IBM LAN Server software.[40]

Earlier versions of Samba included a web administration tool called Samba Web Administration Tool (SWAT),[41][42] which was removed starting with version 4.1.[43]

Samba TNG

[edit]

Samba TNG (The Next Generation) was forked in late 1999, after disagreements between the Samba Team leaders and Luke Leighton about the directions of the Samba project. They failed to come to an agreement on a development transition path which allowed the research version of Samba he was developing (known at the time as Samba-NTDOM) to slowly be integrated into Samba.[44] Development was minimal, due to a lack of developers. The Samba TNG team frequently directed potential users towards Samba because of its better support and development.[45]

A key goal of the Samba TNG project was to rewrite all of the NT Domains services as FreeDCE projects.[46] This was made difficult as the services were developed manually through network reverse-engineering, with limited or no reference to DCE/RPC documentation.[citation needed]

A key difference from Samba was in the implementation of the NT Domains suite of protocols and MSRPC services. Samba makes all the NT Domains services available from a single place, whereas Samba TNG separated each service into its own program.[citation needed]

ReactOS started using Samba TNG services for its SMB implementation. The developers of both projects were interested in seeing the Samba TNG design used to help get ReactOS talking to Windows networks. They worked together to adapt the network code and build system. The multi-layered and modular approach made it easy to port each service to ReactOS.[47]

Samba TNG now seems to be abandoned and unmaintained. Their website is offline with the functional archive from 2016.[48] The last release for ReactOS was in 2009.

See also

[edit]

Notes

[edit]

References

[edit]
[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Samba (software)

View on Grokipedia
from Grokipedia
Samba is an suite that implements the (SMB) protocol and related services, enabling file and print sharing between operating systems (such as ) and Windows systems. Originally developed in 1992 by Australian programmer Andrew Tridgell as a tool to reverse-engineer Microsoft's SMB protocol for interoperability, it has evolved into a comprehensive solution for network file services, integration, and domain control. The software provides secure, stable, and high-performance file and print services, supporting protocols including SMB/CIFS, LDAP, Kerberos, and , allowing Unix systems to function as domain controllers, member servers, or standalone file servers in heterogeneous environments. It is licensed under the GNU General Public License and maintained by a global community through the Samba Team, ensuring compatibility with a wide range of clients and scalability for uses in , high-performance computing (HPC), and (NAS). As of November 2025, the current stable release is 4.23.3, which includes enhancements for SMB3 Unix extensions, improved features, and ongoing support for modern Windows . Key components include the smbd daemon for SMB services, nmbd for name resolution, and winbindd for authentication integration, making Samba essential for cross-platform networking in enterprise and open-source deployments.

History

Origins and Early Development

Samba was founded by Andrew Tridgell, a PhD student at the Australian National University, who began developing the software in late 1991 to enable between Unix systems and Windows PCs using the proprietary (SMB) protocol. Tridgell's motivation stemmed from the need to mount Unix disk space on a DOS PC via the interface, as existing tools like NFS clients were inadequate for NetBIOS-based applications. Without access to Microsoft's documentation, Tridgell reverse-engineered the SMB protocol primarily through packet sniffing, a process that involved capturing and analyzing network traffic to understand the protocol's structure and behavior. The initial release, named smbserver version 0.1, appeared in January 1992 as a basic SMB server for systems, initially under a permissive "do what you like" . This early code underwent quick bug-fix iterations before Tridgell paused development later that year. By 1993, key contributors such as Jeremy Allison from joined the project, bringing expertise in protocol and helping expand its capabilities. Volker Lendecke also emerged as an early core developer, contributing to foundational aspects of the codebase. The project adopted the GNU General Public License (GPL) with the release of nbserver 1.5, marking its commitment to open-source principles and enabling collaborative growth. Samba 1.0, released in 1994, represented a significant milestone as the first stable version under the name—chosen to resolve a trademark conflict with the original SMB designation—and included basic support for the Common Internet File System (CIFS), an extension of SMB. This version addressed early challenges in protocol fidelity, allowing Unix systems to function as SMB servers compatible with Windows clients. By the mid-1990s, Samba saw widespread adoption in distributions, such as its inclusion in and packages starting around 1995, which facilitated cross-platform networking in enterprise and academic environments. This early integration underscored Samba's role in bridging Unix and Windows ecosystems, laying the groundwork for its evolution into a robust open-source alternative to proprietary networking solutions.

Version History

Samba's development began with the 1.x series, released starting in early 1992, which introduced basic support for the SMB1 protocol, enabling file and print sharing between systems and Windows clients. This series laid the foundation for stable authentication mechanisms, allowing initial password-based security for network access, though limited to simple workgroup configurations. Key milestones included the 1.9 release in January 1995, which added master browser capabilities for network discovery, and ongoing refinements through 1.9.18 in 1998, focusing on reliability and documentation. The 1.x series reached end-of-life around 2000 as focus shifted to more advanced features. The 2.x series, launched with in January 1999, enhanced compatibility with domains, supporting as both primary (PDC) and backup (BDC) for centralized user authentication. 2.0 also introduced the Samba Web Administration Tool (SWAT), a browser-based interface for configuring smb.conf. It introduced preliminary support for the evolving SMB protocol, improving performance and stability over 1.x, alongside integration with LDAP for directory services starting in version 2.2 (April 2001). The series continued until 2003, with 2.2.12 as the final stable release, emphasizing better integration with enterprise environments before the transition to 3.x. Samba 3.0, released on September 24, 2003, marked a significant upgrade with full support for the CIFS/SMB protocol, including ACLs and improved handling for cross-platform . It added compatibility for joining domains as a member server, enabling Unix systems to authenticate against Windows servers without full domain control. Later releases in the 3.x series, spanning until 2012, introduced clustering support via CTDB for high availability and winbind enhancements for identity mapping. The 3.6 branch, released August 9, 2011, received security updates until March 2015, after which it entered end-of-life. The 4.x series debuted with version 4.0 on December 11, 2012, implementing a full compatible with , supporting features like and DNS integration. It also added native SMB3 protocol support for multichannel connections and , advancing secure file transfers. Configuration shifted toward JSON-based formats in subsequent releases for better scripting. Samba 4.11.0, released September 17, 2019, required Python 3 as the runtime, with no runtime support for Python 2 (though limited build-time Python 2 use remained possible temporarily). Samba 4.18, launched March 8, 2023, included performance optimizations such as improved VFS modules and better handling of large directories. The series continues actively, with 4.23 released September 12, 2025, introducing SMB3 over for encrypted transport over untrusted networks without VPNs. As of November 2025, the latest stable release is 4.23.3, with ongoing maintenance for branches like 4.21 and 4.22 until their respective end-of-life dates in 2026.

Architecture and Components

Core Modules

The core modules of Samba form the foundational components that enable its interoperability between systems and Windows networking protocols. These include server daemons responsible for handling sessions, name resolution, and integration, as well as supporting libraries for client access and . The configuration of these modules is primarily managed through a centralized file, with build-time dependencies ensuring compatibility with authentication standards. The smbd daemon serves as the primary server in Samba, managing SMB/CIFS-based file and print sessions with clients. It establishes a dedicated for each client connection, supporting file access, permission enforcement, and printer queuing over TCP/IP streams. This daemon interprets requests from compatible clients, such as Windows systems and smbfs, while adhering to the configuration defined in smb.conf. For instance, it handles operations like file locking and directory traversal, ensuring reliable data transfer in mixed environments. Complementing smbd, the nmbd daemon provides essential over IP services, including name registration, resolution, and network . It responds to name queries from SMB/CIFS clients, acting as a WINS server or proxy to map NetBIOS names to IP addresses, which facilitates discovery in legacy Windows networks. Additionally, nmbd maintains a database to enable the "Network Neighborhood" functionality, allowing clients to enumerate available shares and servers. This module is crucial for environments where broadcast-based discovery is still in use. The winbindd daemon facilitates seamless integration between Windows domains and Unix systems by mapping Windows NT Security Identifiers (SIDs) to Unix user and group IDs. It operates as a Name Service Switch (NSS) provider, enabling commands like getent to resolve domain users and groups, and supports authentication through the PAM module pam_winbind. Winbindd connects to domain controllers to fetch credential information, supporting ID ranges configurable in smb.conf to avoid conflicts with local Unix IDs. This allows Unix applications to authenticate against without native support. On the client side, the libsmbclient library offers a programmatic interface for accessing SMB/CIFS resources, providing POSIX-like APIs for file operations such as opening, reading, and writing to remote shares. It supports URL-based connections (e.g., smb://server/share) and integrates with applications for tasks beyond basic mounting, including attribute manipulation and directory browsing. The library checks user-specific configuration files appended to the system smb.conf, ensuring consistent behavior across client tools. Samba also relies on the tdb (Trivial Database) library for efficient local storage of transient and persistent data, such as session states, lock information, and machine accounts. Designed as a lightweight, lockable key-value store similar to GDBM but with support for concurrent writers, tdb enables fast access without the overhead of full relational databases. It is used internally by daemons like smbd and winbindd to maintain state across restarts. Configuration for these modules is handled via the smb.conf file, typically located at /etc/samba/smb.conf, which uses a section-based structure for defining global and per-share settings. The [global] section sets server-wide parameters, such as workgroup membership, levels, and modes, applying defaults to all services. Share definitions, like [homes] for user directories or custom sections (e.g., [public] with path = /shared and read only = no), specify access paths, permissions, and behaviors unique to each resource. Comments and continuations enhance readability, while parameters are case-insensitive. At build time, Samba depends on external libraries for , notably supporting either the Heimdal Kerberos implementation (bundled internally) or MIT Kerberos (version 1.15.1 or later) for features like domain control. These dependencies ensure secure ticket-based , with options selectable during compilation to match system requirements.

Protocol Implementations

implements the (SMB) protocol family, which serves as the core for file and printer sharing over networks, along with supporting standards for name resolution and remote procedure calls to ensure interoperability with Windows systems. The in encompasses multiple dialects of SMB, ranging from the original SMB1 to modern SMB3 variants, each building upon the previous with enhancements in performance, security, and functionality. These implementations are designed to handle the negotiation of dialect versions during session establishment, allowing clients and servers to agree on the highest mutually supported level while maintaining where necessary. The earliest dialect, SMB1 (also known as CIFS), is a legacy protocol introduced in the 1980s and extended by in the , but it is considered insecure due to the absence of mandatory signing and , making it vulnerable to man-in-the-middle attacks. Samba provides optional support for SMB1, which can be disabled at or via configuration to prioritize , as seen in releases starting from Samba 4.11.0. SMB2, introduced by in 2006, marked a significant redesign with reduced command complexity, support for packet signing to prevent tampering, and improved efficiency over SMB1; Samba added full SMB2 support in version 3.6.0, enabling features like persistent handles for better network resilience. Building on this, SMB3, released by in 2012 with and Server 2012, introduced multichannel for aggregating network connections, end-to-end using AES-CCM, and directory leases for enhanced caching; Samba incorporated basic SMB3 support from version 4.0.0, with ongoing refinements for full compliance. Further evolution includes the SMB3.1.1 dialect, standardized by in 2015, which mandates AES-256-GCM encryption for improved and adds preauthentication integrity checks to protect against downgrade attacks. Samba supports SMB3.1.1 as the default maximum protocol dialect in recent versions, configurable via the client max protocol and server max protocol parameters in smb.conf, ensuring compatibility with modern Windows clients while allowing fallback to earlier dialects if needed. Additionally, Samba 4.23.0 introduced support for SMB3 over , a 2020s extension that transports SMB3 packets over the QUIC protocol (UDP-based) for lower latency and better firewall traversal, similar to ; this is enabled through new configuration options like server smb transport = quic and client smb transports = quic, facilitating secure access over the public internet without VPNs. However, as of November 2025, this requires the external quic.ko kernel module (tested with 6.14) or a userspace fallback like ngtcp2 for client-side support. For name resolution and session establishment, Samba implements over TCP/IP (NBT), a legacy standard defined in RFC 1001 and RFC 1002, which uses UDP port 137 for name queries and registrations alongside TCP port 139 for session services, ensuring compatibility with older Windows environments. This is handled primarily by the nmbd daemon, which can be disabled in favor of DNS for modern deployments. Samba also supports (/), Microsoft's adaptation of the OSF DCE standard, for invoking remote services over SMB named pipes, enabling structured inter-process communication. Key DCE/RPC implementations in Samba include the LSARPC pipe, which provides interfaces for managing local and domain security policies such as user rights, privileges, and trusted domain objects, as specified in the MS-LSAD protocol. Similarly, the SAMR (Security Account Manager Remote) pipe allows remote administration of user accounts and groups, including enumeration and changes, per the MS-SAMR specification. These pipes are exposed via the dcerpc endpoint servers configuration, with defaults including lsarpc and samr, and support application-level encryption using algorithms like AES for sensitive operations. To optimize file access performance, Samba implements opportunistic locks (oplocks), a caching mechanism from SMB1 that grants clients exclusive or shared read access to files, reducing network traffic by allowing local buffering; this is enabled by default via the oplocks = yes parameter in smb.conf. In SMB2 and later, oplocks evolved into leases, which extend caching to directories and multiple handles with finer-grained states (e.g., read-only or read-write caching), implemented in Samba starting from version 4.2.0 through the smb2 leases = yes option, further configurable with kernel oplocks = no to manage interactions with underlying filesystems.

Features

File and Print Services

Samba's core functionality revolves around providing cross-platform file and print sharing services, enabling systems to interoperate seamlessly with Windows clients over the SMB/CIFS protocol. This allows users to access shared directories and printers as if they were native Windows resources, without requiring specialized hardware or additional software on the client side. Configuration is primarily managed through the smb.conf file, which defines shares, access rules, and operational parameters to suit various network environments. Share configuration in Samba is handled via sections in the smb.conf file, where predefined sections like [homes] and [printers] offer dynamic sharing, while custom shares provide flexibility for specific directories. The [homes] section automatically creates a share for each user's , using the path to the user's (e.g., /home/username) and setting read-only = no to allow write access, with browseable inheriting from global settings to control visibility in network browsers. For printers, the [printers] section dynamically exposes all configured printers, requiring printable = yes and a temporary path like /var/tmp for , often with guest ok = yes for anonymous access. Custom shares are defined with a section header such as [myshare], specifying path = /path/to/directory, read only = no for writable access, valid users = user1,user2 for restrictions, and browseable = yes to make it discoverable. File access controls in Samba integrate Unix permissions with advanced ACL mechanisms to mimic Windows behaviors. At the basic level, Samba enforces Unix file system permissions based on the connecting user's identity, supplemented by smb.conf options like force user and valid users for share-level restrictions. For finer granularity, Samba supports ACL extensions on Unix file systems, mapping Windows ACL entries to descriptors (e.g., user::rwx for full owner access), enabled via nt acl support = yes in smb.conf, though limited by 's lack of native . Windows-style ACL mapping translates concepts like "Full Control" to rwx triplets using parameters such as security mask = 0777, storing mappings in file extended attributes for compatibility with Windows clients. Print services in Samba facilitate sharing Unix printers with Windows clients through integration with the Common Unix Printing System (CUPS). Setting printing = CUPS in the [global] section of smb.conf directs Samba to use CUPS for queue management, allowing printers configured via the CUPS web interface (e.g., at https://localhost:631) to be exposed automatically through the [printers] section. This setup supports raw queue types for direct driver compatibility, enabling Windows clients to submit jobs via SMB without local CUPS installation on the server. For high-volume environments, the spoolssd daemon can be enabled with rpc_server:spoolss = external and rpc_daemon:spoolssd = fork to handle multiple print jobs efficiently. Performance tuning for Samba file and print services involves adjusting network and connection parameters in smb.conf to optimize for scale. Socket options like TCP_NODELAY reduce latency by disabling , potentially doubling read performance in client environments, while SO_RCVBUF=8192 can enhance throughput but requires testing to avoid loopback degradation. The max connections parameter limits simultaneous links per share (e.g., max connections = 50) to prevent resource exhaustion in large deployments, and deadtime = 15 (in minutes) automatically closes idle connections, freeing server capacity compared to the default of 10080 minutes. These adjustments, combined with read size = 65536 for overlapping I/O, support efficient handling of enterprise workloads. Common use cases for Samba's file and print services span networks for simple media sharing, enterprise setups for centralized storage accessible by mixed OS clients, and environments where disk passthrough enables shared access to host resources. In setups, basic [homes] shares allow family members to exchange files seamlessly; enterprise deployments leverage custom shares with ACL mapping for secure departmental access; and in , Samba facilitates passthrough of storage pools to VMs for consolidated management. Authentication for these shares typically relies on local Unix accounts, with domain integration available for advanced scenarios.

Domain and Authentication Integration

Samba versions prior to 4.0 provided support for acting as a Primary Domain Controller (PDC) and Backup Domain Controller (BDC) in NT4-style domains, enabling basic domain authentication and user management through the smbpasswd backend or LDAP integration. These capabilities allowed Samba to emulate Windows NT4 domain controllers, handling logon requests, password changes, and account synchronization in smaller networks. However, this implementation was limited to legacy protocols and lacked compatibility with modern Active Directory features like Kerberos authentication or hierarchical forests. With the release of Samba 4.0 in 2012, the software evolved to support full (AD DC) functionality, replicating the server-side components of AD environments. This includes integrated support for DNS via an internal BIND9-based server and Kerberos version 5 for secure authentication, allowing Samba to join or provision new AD forests and realms without requiring Windows servers. As a result, Samba 4.x can serve as a for Windows DCs in mixed environments, managing objects like users, groups, and computers through LDAP and replicating changes via the DRSUAPI protocol. The provisioning process for setting up a Samba AD DC begins with the samba-tool domain provision command, which initializes the necessary databases, including the NTDS DIT for directory services and a private . This tool creates an initial domain administrator account, configures Kerberos realms, and populates essential DNS records for service location (SRV) and name resolution, typically specifying options like --server-role=dc and --dns-backend=BIND9_DLZ for full functionality. Once provisioned, the Samba service starts with the samba daemon in AD DC mode, enabling immediate and enforcement across the network. Samba supports trust relationships to facilitate interoperability with Windows domains, including one-way trusts where a Samba domain trusts a Windows for authentication without reciprocal access. These trusts leverage Kerberos cross-realm authentication, allowing users from the trusted domain to access Samba-managed resources while maintaining security boundaries, such as in external or trusts. Configuration involves using samba-tool domain trust create to establish the relationship, specifying trust type, direction, and passwords, which enables seamless cross-forest authentication for services like . Group Policy Object (GPO) support in AD DCs allows administrators to apply centralized configuration policies to domain-joined machines and users, mirroring Windows capabilities through integration with Remote Server Administration Tools (RSAT). Policies are stored in the SYSVOL share and can be edited using RSAT's Management Console on Windows clients, with changes replicated to additional DCs. In multi-DC setups, SYSVOL replication often relies on for unidirectional synchronization of policy files, ensuring consistency without native FRS or DFSR. This approach supports common policies for security settings, software deployment, and user preferences, though advanced scripting may be needed for full replication in larger deployments. Enhancements in Samba 4.x have expanded options, including Read-Only Domain Controller (RODC) support, first provided on an experimental basis in versions prior to 4.7 and made production-ready in Samba 4.7 (September 2017), with subsequent improvements including bug fixes for and replication stability in later releases such as 4.15. RODCs in Samba receive updates from writable DCs via RPC but do not store sensitive credentials locally, enhancing in untrusted networks while maintaining availability.

Security

Known Vulnerabilities

One of the most significant vulnerabilities in Samba's history is CVE-2017-7494, commonly known as SambaCry, disclosed in May 2017. This remote execution flaw stemmed from a in the (SMB) file-sharing protocol implementation, allowing a malicious client to and execute arbitrary shared libraries on writable shares without . It affected all Samba versions from 3.5.0 up to but not including 4.4.14, 4.5.10, and 4.6.4. The vulnerability was exploited in various campaigns, including variants reminiscent of the WannaCry ransomware that targeted systems for mining and backdoor installation. In early versions of , particularly those supporting the deprecated SMB1 protocol, weaknesses in message signing and the authentication mechanism exposed systems to man-in-the-middle attacks and relay exploits. SMB1 signing could be bypassed, enabling attackers to intercept, modify, and replay SMB traffic, while relay attacks allowed captured authentication credentials to be relayed to other network services for unauthorized , often without requiring . These issues were inherent to the protocol designs implemented in Samba versions prior to widespread adoption of SMB2 and later dialects with stronger protections. The Zerologon vulnerability, designated CVE-2020-1472, affected Samba's implementation of the Netlogon Remote Protocol (MS-NRPC) and was disclosed in August 2020. This elevation-of-privilege flaw allowed an unauthenticated attacker with network access to a to impersonate any computer account, potentially compromising the entire domain by resetting machine account passwords or crashing the server. As a protocol-level issue originally identified in Windows, it impacted Samba domain controllers in versions prior to 4.11.9, 4.12.4, and 4.13.1; the patch enforced AES and signing for Netlogon secure channels to prevent such bypasses. CVE-2021-44142, disclosed in December 2021, involved an out-of-bounds heap read/write vulnerability in the vfs_fruit module, which provides with macOS file systems via Apple extensions to SMB. A remote attacker with write access to a share could craft extended attribute (EA) metadata to trigger the flaw during file operations, leading to with the privileges of the smbd process, typically . This affected all Samba versions before 4.13.17, 4.14.12, 4.15.6, and 4.16.1 when the module was enabled, which is the default in shared builds. Post-2023 vulnerabilities highlight ongoing risks in Samba's (AD DC) role and protocol implementations. For instance, CVE-2023-3961 is a path traversal vulnerability that allows a Samba client to gain unauthorized root access to internal services, such as winbindd, by including directory traversal characters in client pipe names. It affects Samba versions 4.0.0 through 4.18.2 (excluding patched versions: up to 4.13.20, 4.14.14, 4.15.8, 4.16.6, 4.17.3). Another example is CVE-2024-28834, a design flaw in the DirSync control that exposes passwords and secrets to privileged users and Read-Only s (RODCs) in Samba versions prior to 4.19.8, 4.20.4, and 4.21.1. In 2025, CVE-2025-10230 exposed a critical remote execution flaw (CVSS 10.0) in the WINS server component for AD DCs, allowing unauthenticated attackers to execute arbitrary commands via the configured 'wins hook' script when WINS is enabled, affecting Samba versions from 4.0.0 onward; this underscored persistent protocol weaknesses in legacy features. These incidents have prompted a broader shift toward mandatory use of SMB3.1.1, which incorporates enhanced , signing, and multichannel capabilities to mitigate risks from older SMB dialects like SMB1 and vulnerable SMB3 implementations.

Mitigation and Best Practices

To secure Samba deployments, administrators should begin by hardening the core configuration in the smb.conf file. Disabling the legacy SMB1 protocol is essential due to its known vulnerabilities; this can be achieved by setting min protocol = SMB2 in the [global] section, ensuring only SMB2 and later versions are used. Additionally, enforcing SMB signing prevents man-in-the-middle attacks by requiring of all SMB packets; configure this with server signing = mandatory and client signing = mandatory to mandate signing for both server and client communications. These settings significantly reduce the without impacting modern clients. Network-level protections further enhance security. Firewall rules should restrict access to Samba's primary ports, allowing only TCP 445 (and optionally TCP 139, UDP 137, and UDP 138 for legacy NetBIOS compatibility) from trusted IP ranges, such as using iptables or firewalld to block external traffic by default. For brute-force protection against authentication attempts, integrate tools like Fail2Ban, which monitors Samba logs for failed logins and dynamically bans offending IPs via firewall rules; a dedicated filter for Samba's log.smbd can detect patterns like repeated invalid credentials. Maintaining up-to-date deployments is critical for addressing emerging threats. Subscribe to Samba's notifications via the official at [email protected] or the samba-announce list to receive alerts on patches and vulnerabilities. Regularly apply updates from the stable release channel, and use the smbstatus tool to monitor active connections, shares, and locks in real-time, helping detect anomalous activity such as excessive concurrent sessions. For comprehensive logging, enable the full_audit VFS module in smb.conf under specific shares with vfs objects = full_audit, which records client operations like file opens, reads, writes, and permission checks to , facilitating forensic analysis of access attempts without performance overhead in most setups. When configuring as an (AD DC), adhere to by isolating provisioned AD users from Unix system administrators, using distinct accounts and avoiding shared privileges to prevent . Prefer MIT Kerberos over Samba's bundled Heimdal implementation for the KDC, as it offers better interoperability with enterprise tools and upstream support; provision Samba with MIT Kerberos during compilation or via distro packages for enhanced compatibility. As of 2025, incorporate emerging protocols like SMB over for deployments requiring encrypted tunnels over untrusted networks; enable it in 4.23+ via the server smb transport options in smb.conf, leveraging TLS 1.3 for secure, VPN-alternative file access. Align with zero-trust principles by integrating (MFA) through AD federation with identity providers, enforcing device trust and continuous verification for all access requests.

Development and Community

Samba TNG Project

The Samba TNG (The Next Generation) project originated as a fork of the main Samba codebase in August 2000, initiated by developers including Luke Howard who sought to pursue more aggressive enhancements for domain integration that were deemed too radical for the conservative mainline development process. Andrew Tridgell, Samba's founder, endorsed the fork and announced it publicly in October 2000, emphasizing its potential to explore innovative SMB server designs without the burden of requirements. The project aimed to redesign Samba for improved scalability, particularly in enterprise environments requiring full NT domain controller capabilities, by leveraging the / (DCE-RPC) infrastructure to better emulate services. A core objective was to rewrite NT domain services as independent FreeDCE-based components, enabling modular extensions and reducing dependencies on the monolithic Samba structure. Key innovations in Samba TNG focused on architectural flexibility to support clustering and high-availability setups, including a DCE-RPC endpoint mapper for dynamic , multi-transport support for varied network protocols, a virtualized SMB layer to abstract interactions, and a daemonized model that separated core services into interchangeable modules. These changes were intended to facilitate scalable deployments, such as clustered file servers, by allowing components to communicate via sockets rather than , paving the way for distributed operations. During its active phase from 2000 to 2003, the project produced prototypes that advanced Samba's handling of NT-specific protocols, including early work on RPC-based and domain trust mechanisms. Development efforts stalled around 2003 primarily due to limited developer resources and increasing overlap with parallel advancements in the mainline 3.x series, which prioritized stable releases over experimental redesigns. Several TNG contributors, including those involved in the , rejoined the core Samba team, bringing insights that influenced subsequent versions. Although the project was discontinued as a separate initiative, select components—such as enhanced DCE-RPC implementations and modular RPC server designs—were gradually integrated into mainline Samba, culminating in significant merges in version 4.16 released in 2022. The TNG effort's legacy endures in Samba's modern architecture, particularly its support for enterprise-scale domain services and improved modularity, which have enabled broader adoption in heterogeneous networks.

Ongoing Development and Ecosystem

Samba is maintained by the Samba Team as a member project of the , a that provides , legal support, and compliance enforcement for initiatives. The project follows a structured release process for its 4.x series, with new major versions typically issued every six months, followed by maintenance releases over an 18-month lifecycle to address bugs, security issues, and feature enhancements. Contributions to Samba are coordinated through its distributed version control system hosted at git.samba.org, where developers submit patches using Git format-patch and email them to the samba-technical for review and integration. Bug reports and feature requests are tracked via the project's instance at bugzilla.samba.org, ensuring a transparent and collaborative development workflow that emphasizes code quality and community input. The Samba ecosystem extends beyond its core server components through complementary tools that enhance usability and deployment. For instance, smbclient, a command-line utility included in Samba distributions, provides FTP-like access to SMB/CIFS shares for testing, scripting, and file management. , while a separate tool, is commonly paired with Samba for efficient incremental backups of shared directories over networks, leveraging Samba's protocol for remote synchronization while minimizing data transfer. Additionally, Samba integrates seamlessly with containerization platforms like Docker and orchestration systems such as , enabling scalable, containerized deployments for file services in cloud-native environments through projects like samba-in-kubernetes. Community engagement is fostered through annual events like sambaXP, the international user and developer conference held in , , which brings together developers, vendors, and users for technical sessions, testing, and discussions on protocol advancements, with the 2025 edition occurring on April 7-8. Samba also participates in , sponsoring student projects to contribute features such as management tools and UI enhancements for server administration. Recent collaborations, including presentations on SMB enhancements at sambaXP 2025, highlight ongoing efforts with Windows Server 2025 features like SMB security hardening.

References

  1. https://www.samba.org/samba/what_is_samba.html
  2. https://www.samba.org/samba/docs/SambaIntro.html
  3. https://opensource.googleblog.com/2012/03/geek-time-with-andrew-tridgell.html
  4. https://www.samba.org/samba/latest_news.html
  5. https://www.samba.org/samba/download/
  6. https://wiki.samba.org/index.php/Main_Page
  7. https://www.samba.org/samba/docs/current/man-html/samba.7.html
  8. https://systems.anu.edu.au/news/2018/12/14/dr-andrew-tridgell/
  9. https://scholarlycommons.law.northwestern.edu/cgi/viewcontent.cgi?article=1099&context=nulr_online
  10. https://dl.acm.org/doi/fullHtml/10.5555/324732.324735
  11. https://linuxcommandlibrary.com/man/samba
  12. https://sambaxp.org/archive_data/sxp13/SambaXP2013-DATA/thu/track1/Jeremy_Allison-Samba-Development.pdf
  13. https://www.samba.org/samba/docs/10years.html
  14. https://wiki.samba.org/index.php/Release_Planning_for_Samba_3.0
  15. https://wiki.samba.org/index.php/Samba_Release_Planning
  16. https://www.samba.org/samba/history/samba-4.11.0.html
  17. https://www.phoronix.com/news/Samba-4.23-Released
  18. https://www.samba.org/samba/history/samba-4.23.3.html
  19. https://www.samba.org/samba/docs/current/man-html/smbd.8.html
  20. https://www.samba.org/samba/docs/current/man-html/nmbd.8.html
  21. https://www.samba.org/samba/docs/current/man-html/winbindd.8.html
  22. https://www.samba.org/samba/docs/current/man-html/libsmbclient.7.html
  23. https://wiki.samba.org/index.php/TDB
  24. https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html
  25. https://wiki.samba.org/index.php/Package_Dependencies_Required_to_Build_Samba
  26. https://samba.plus/blog/detail/milestone-group-completed-samba-now-fully-supports-smb-over-quic
  27. https://www.samba.org/samba/docs/old/Samba3-HOWTO/AccessControls.html
  28. https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Print_Server
  29. https://www.samba.org/samba/docs/old/Samba3-HOWTO/speed.html
  30. https://www.redhat.com/en/blog/samba-windows-linux
  31. https://www.samba.org/samba/docs/old/Samba3-HOWTO/samba-pdc.html
  32. https://www.samba.org/samba/docs/old/Samba3-HOWTO/
  33. https://wiki.samba.org/index.php/Samba_4.0_Whitepaper
  34. https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
  35. https://www.samba.org/samba/history/samba-4.2.0.html
  36. https://www.samba.org/samba/docs/current/man-html/samba-tool.8.html
  37. https://wiki.samba.org/index.php/Samba4/ActiveDirectory
  38. https://www.samba.org/samba/docs/old/Samba3-HOWTO/InterdomainTrusts.html
  39. https://samba.tranquil.it/doc/samba_fundamentals/about_trust_and_forest.html
  40. https://wiki.samba.org/index.php/Installing_RSAT
  41. https://wiki.samba.org/index.php/Rsync_based_SysVol_replication_workaround
  42. https://www.tecmint.com/samba4-ad-dc-sysvol-replication/
  43. https://wiki.samba.org/index.php/Samba_4.15_Features_added/changed
  44. https://wiki.samba.org/index.php/Samba_Features_added/changed
  45. https://www.samba.org/samba/security/CVE-2017-7494.html
  46. https://nvd.nist.gov/vuln/detail/CVE-2017-7494
  47. https://www.f5.com/labs/articles/sambacry-the-linux-sequel-to-wannacry
  48. https://nvd.nist.gov/vuln/detail/CVE-2016-2119
  49. https://learn.microsoft.com/en-us/windows-server/storage/file-server/smb-interception-defense
  50. https://www.samba.org/samba/security/CVE-2020-1472.html
  51. https://nvd.nist.gov/vuln/detail/CVE-2020-1472
  52. https://www.cisa.gov/news-events/alerts/2020/09/21/samba-releases-security-update-cve-2020-1472
  53. https://www.samba.org/samba/security/CVE-2021-44142.html
  54. https://nvd.nist.gov/vuln/detail/CVE-2021-44142
  55. https://www.samba.org/samba/security/CVE-2023-3961.html
  56. https://www.samba.org/samba/security/CVE-2024-28834.html
  57. https://www.samba.org/samba/security/CVE-2025-10230.html
  58. https://www.samba.org/samba/security/
  59. https://www.samba.org/samba/docs/server_security.html
  60. https://wiki.samba.org/index.php/Setting_up_Audit_Logging
  61. https://www.samba.org/samba/docs/current/man-html/smbstatus.1.html
  62. https://www.samba.org/samba/docs/current/man-html/vfs_full_audit.8.html
  63. https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC
  64. https://www.samba.org/samba/history/samba-4.23.0.html
  65. https://learn.microsoft.com/en-us/windows-server/storage/file-server/smb-security-hardening
  66. https://www.samba.org/samba/tng.html
  67. https://samba.plus/blog/detail/distributed-development-within-the-samba-project
  68. https://sfconservancy.org/projects/current/
  69. https://www.samba.org/samba/history/
  70. https://wiki.samba.org/index.php/Contribute
  71. https://www.samba.org/samba/bugreports.html
  72. https://www.thanassis.space/backup.html
  73. https://github.com/samba-in-kubernetes/samba-container
  74. https://pimylifeup.com/docker-samba-share/
  75. https://sambaxp.org/
  76. https://www.sernet.de/en/news/news-detail/sambaxp-2025-experience-open-source-live
  77. https://wiki.samba.org/index.php/SoC
  78. https://summerofcode.withgoogle.com/archive/2021/organizations/5673937584783360/
  79. https://www.youtube.com/watch?v=f25GheiRcVg
  80. https://techcommunity.microsoft.com/blog/filecab/smb-security-hardening-in-windows-server-2025--windows-11/4226591
Add your contribution
Related Hubs
User Avatar
No comments yet.