A flaw was found when using samba as an Active Directory Domain Controller. Due to the way samba handles certain requests as an Active Directory Domain Controller LDAP server, an unauthorized user can cause a stack overflow leading to a denial of service. The highest threat from this vulnerability is to system availability.
By default, Samba 4.10 is run using the "standard" process model, which would leave only the CLDAP server affected. (Later versions use 'prefork').
This is controlled by the -M or --model parameter to the samba binary.
All Samba versions are impacted if -M prefork or -M single is used. To mitigate this issue for LDAP only, select -M standard (however this will use more memory, may allow resource exhaustion, and will still leave the CLDAP server exposed).