A flaw was found in the way Samba, as an Active Directory Domain Controller, implemented Kerberos name-based authentication. The Samba AD DC, could become confused about the user a ticket represents if it did not strictly require a Kerberos PAC and always use the SIDs found within. The result could include total domain compromise.
[
{
"vendor": "n/a",
"product": "samba",
"versions": [
{
"version": "samba 4.15.2, samba 4.14.10, samba 4.13.14",
"status": "affected"
}
]
}
]