This manifested itself for me in anaconda/ks installs. With 'firewall --enabled --ssh' (nothing else) in a kickstart and no mention of samba, it still wound up with modifications to iptables-config that unnecessarily installs ip_conntrack_netbios_ns module. A quick glance at lokkit.c indicates it is already tracking the samba-realated ports. So a solution would be to tell write_firewall to only make the change if(samba_port_ndx).
This is as designed. The samba port tracking is for serving - if you want to run a Samba server on your computer and allow people outside your firewall to gain access to it. The conntrack module is there simply for if you want to browse Samba shares on other people's computers, and should not be any cause for concern if it's loaded but you don't do this.