In this talk Namikoye Lusweti (Microsoft) gives an in-depth overview of the SMB3 Testsuites architecture, test methodology, and practical guides for testing both server and client SMB3 implementations. The Testsuites were developed by Microsoft’s Interoperability Protocols test team. The presentation will also offer valuable insights and techniques for ensuring accurate SMB3 deployments.
 

Enhancing compatibility with applications that rely on Linux and POSIX file semantics is crucial. In this presentation Steven French (Microsoft) explores the current state of SMB3.1.1 POSIX Extensions across various clients and multiple servers focusing on recent significant improvements. 

The session includes a live demonstration of key features enabled by SMB3.1.1 POSIX Extensions, showcasing examples with multiple servers, including Samba and ksmbd, and their impact on common workloads. Additionally, the discussion will cover requests for new features as Linux filesystem syscalls and capabilities continue to evolve.
 

The transition from traditional file storage to object-based architectures often leaves a gap for legacy applications that require POSIX file semantics. In this presentation Vinit Agnihotri (IBM) examines the implementation of SMB over Rados Gateway (RGW), a solution that allows Ceph object storage buckets to be mounted as standard file systems using the Samba file server. By mapping buckets as shares, this integration enables S3 data access without requiring changes to application code, while maintaining support for standard UNIX permissions.

At the core of this stack is librgw, which provides a complete RGW instance and exports C-style APIs for user interaction. We will explore how the vfs_ceph_rgw module facilitates this by instantiating and configuring librgw directly within the Samba environment. This includes a look at how VFS module parameters are used to pass critical Ceph-specific configurations—such as user credentials, access keys, and cluster configuration files—to
the underlying library.

The session will focus on the technical mechanics of this object-to-file; translation and provide a transparent look at the architectural constraints involved. We will discuss the specific limitations inherited from the librgw layer, particularly regarding POSIX operations that do not map naturally to object storage, such as random
writes, directory renaming, and symbolic links. Attendees will gain a clear understanding of the internal architecture, the configuration workflow, and the technical trade-offsnecessary when using Samba as a gateway to Ceph object storage.

MIT Kerberos implements a concept of authentication indicators (RFC8129) to allow identifying how initial authentication has been performed by a Kerberos principal. Authentication indicators allow to differentiate between use of a smartcard or a simple password-based pre-authentication mechanism, for example. Indicators can be verified by KDC or by a Kerberos service to allow flexible authorization policies.

On Active Directory side there is no way to guarantee that a particular user obtained its initial TGT with the help of a specific pre-authentication method. For this purpose, Microsoft has added an extension called Authentication Mechanism Assertion (AMA) which provides a mapping of a certificate extension OID to a dynamic group ownership in the PAC record.

In this talk Alexander Bokovoy (Red Hat) will describe an ongoing work to make these two mechanisms compatible in FreeIPA-Active Directory environment.  

As CephFS-backed SMB deployments grow in scale, operators need a practical way to control per-share I/O behavior. To address this need, Samba introduced vfs_aio_ratelimit, a stackable VFS module that enables share-level rate limiting for asynchronous I/O.

Avan Thakars (IBM) talk first revisits the original motivation, design, and constraints behind introducing vfs_aio_ratelimit. The initial implementation supports read and write IOPS and bandwidth limits at the per-smbd process level, enforcing limits by injecting calculated delays when configured thresholds are exceeded, while preserving Samba’s non-blocking, event-driven I/O model.
The session then focuses on recent and ongoing enhancements. A major improvement is the introduction of burst-aware rate limiting, allowing administrators to specify the maximum burst permitted for read and write operations instead of explicitly configuring maximum delays. This simplifies configuration and provides more natural behavior under bursty workloads.
The talk also covers work in progress toward cluster-wide rate limiting, which is required for consistent enforcement across all nodes in a clustered Samba deployment. This includes local TDB-based persistence of rate limiter state and a planned messaging-based synchronization mechanism for cluster-wide coordination. 

Finally, the talk demonstrates how vfs_aio_ratimit is already integrated into CephFS SMB QoS, where it is actively used by the Ceph SMB manager module. A live demo will show how rate limits are configured and applied using existing Ceph SMB management commands.

In the last 15 years, from the early 4.0.0 alphas to 4.24.0, Samba-AD has come a long way from a rough ride to a stable and mature product. It is a real achievement. Kudos to the Samba team. 

Nevertheless AD is never playing alone, and there is a whole ecosystem around. Making Samba-AD a real alternative involves making sure that it plays nicely with everything currently running in the network. 

In this talk, Dennis Cardon (Tranquil IT) will take us to a more technical dive into the meanders of certificate services, identity federation, security audit, authentication issues, and other stuff that keep us busy and stay alert day after day.

In this talk Kees van Vloten shows how to setup the components needed to allow OIDC based SSO on an internal website. We will take a look at the application-group in Samba-AD, the configuration of Keycloak with Samba-AD as a backend and the authentication in Apache of web-applications.

The current wave of LLM-based tools extends the domain of static analysis beyond code in isolation into the environment and the domain of interactions between components. This has led to a large number of bug reports for high profile  open source projects. Many of these reports are invalid or low value, but there have been some real bugs found.

This talk from Douglas Bagnall (Catalyst IT) is about how Samba is faring, which at the time of writing this abstract might be summarised as OK but a little bit weary.

The Virtual File System is Samba's window to the objects it serves to clients. It has seen a lot of changes in the past, one of the major revisions was moving towards at-based VFS calls to protect against vulnerabilities based on symlink races.  Together with the completion of smb311 unix extensions, symlink handling has changed in Samba: These days all symbolic links are followed and checked in user space by smbd, closing a lot of time-of-check/time-of-use races.

The VFS has also moved away from using path and file names whereever possible. Recent modifications converted the calculation of free disk space and quotas away from path names to file descriptors, which are safe against symlink races.

One recent insight is handling of the current working directory: The VFS right now carries a full-fledged chdir-Call that allows changing smb's current working directory to an arbitrary subdirectory within a share. With the change to use path names as little as possible, this is no longer necessary. Samba only ever changes into the root directory of a share.

A more fundamental change is right now in the planning phase: Given that Samba can open the share root directory as a file descriptor and use that as the dirfd argument to all at-based VFS operations, there is no need to switch smbds current working directory anymore.

All these changes should make life for VFS developers easier.