As per upstream report: In order to avoid issues like CVE-2020-25717 AD Kerberos accepting services need access to unique, and ideally long-term stable identifiers of a user to perform authorization. The AD PAC provides this, but the most useful information is kept in a buffer which is NDR encoded, which means that so far in Free Software only Samba and applications which use Samba components under the hood like FreeIPA and SSSD decode PAC. Recognising that the issues seen in Samba are not unique, Samba now provides an extension to UPN_DNS_INFO, a component of the AD PAC, in a way that can be parsed using basic pointer handling. From this, future non-Samba based Kerberised applications can easily obtain the user's SID, in the same packing as objectSID in LDAP, confident that the ticket represents a specific user, not matter subsequent renames. This will allow such non-Samba applications to avoid confusing one Kerberos user for another, even if they have the same string name (due to the gap between time of ticket printing by the KDC and time of ticket acceptance).
Created samba tracking bugs for this issue: Affects: fedora-all [bug 2021729]