Bug 1181638 (CVE-2014-8143)

It was reported that Samba's Active Directory Domain Controller allows the administrator to delegate creation of user or computer accounts to specific users or groups.
See External References for additional information.

However, all released versions of Samba's Active Directory Domain Controller did not implement the additional required check on the UF_SERVER_TRUST_ACCOUNT bit in the userAccountControl attributes.

Most Samba deployments are not of the AD Domain Controller, but are of the classic domain controller, the file server or print server. Only the AD DC is affected by this issue.

Additionally, most sites running the AD Domain Controller do not configure delegation for the creation of user or computer accounts, and so are not vulnerable to this issue, as no writes are permitted to the userAccountControl attribute, no matter what the value.

Acknowledgements:

Red Hat would like to thank the Samba Team for reporting this issue. Upstream acknowledges Andrew Bartlett of Catalyst IT as the original reporter.

Statement:

Not vulnerable. This issue did not affect the versions of samba as shipped with Red Hat Enterprise Linux 5, 6 and 7, and Red Hat Storage 2.1 and 3.0, versions of samba3x as shipped with Red Hat Enterprise Linux 5, versions of samba4 as shipped with Red Hat Enterprise Linux 6, as they did not include support for Samba Active Directory Domain Controller. All shipped Samba versions are using MIT Kerberos implementation as its Kerberos infrastructure of choice. The Samba builds shipped are using MIT Kerberos implementation in order to allow system-wide interoperability between both desktop and server applications running on the same machine.