As per upstream advisory:
Samba as an Active Directory Domain Controller has to take care to protect a number of sensitive attributes, and to follow a security model from Active Directory that relies totally on the intersection of NT security descriptors and the underlying X.500 Directory Access Protocol (as then expressed in LDAP) schema constraints for security.
Some attributes in Samba AD are sensitive, they apply to one object but protect others.
Users who can set msDS-AllowedToDelegateTo can become any user in the domain on the server pointed at by this list. Likewise in a domain mixed with Microsoft Windows, Samba's lack of protection of sidHistory would be a similar issue.
This would be limited to users with the right to create users or modify them (typically those who created them), however, due to other flaws, all users are able to create new user objects.
Created samba tracking bugs for this issue:
Affects: fedora-all [bug 2021721]
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):