As per upstream advisory: A newly delegated right, but more importantly the removal of a delegated right, would not be inherited on any DC other than the one where the change was made. For example: - if a user or group was previously delegated the right to create or modify a subtree (say to allow desktop support to reset passwords and create users) - and subsequently this right was taken away The removal would not automatically be taken away on all domain controllers. Because this patch only fixes new replication into the future, it is vital that a full-sync be done TO each Domain controller to ensure each ACL (ntSecurityDescriptor) is re-calculated on the whole set of DCs. See the instructions in "workaround and required steps post-upgrade" below.
Acknowledgments: Name: the Samba project
Statement: This flaw does not affect the version of samba shipped with Red Hat Enterprise Linux because there is no support for samba as Active Directory Domain Controller.
Mitigation: Use of 'samba-tool drs replicate $DC1 $DC2 $NC --full-sync' will cause all ACLs to be syncronised from DC2 to DC1, for the given NC (naming context), eg: samba-tool drs replicate my-DC1 my-DC2 DC=samba,DC=example,DC=com --full-sync samba-tool drs replicate my-DC1 my-DC2 CN=Configuration,DC=samba,DC=example,DC=com --full-sync samba-tool drs replicate my-DC2 my-DC1 DC=samba,DC=example,DC=com --full-sync samba-tool drs replicate my-DC2 my-DC1 CN=Configuration,DC=samba,DC=example,DC=com --full-sync Internally both in patched and un-patched versions, for every object replicated with a --full-sync, the inheritance will be correctly calculated. This only needs to be done TO each DC, not for each pair-wise pair.
External References: https://www.samba.org/samba/security/CVE-2019-14902.html
Created samba tracking bugs for this issue: Affects: fedora-all [bug 1793405]