A vulnerability was found in the AD DC Configurations of Samba 4.9.0 and later. Watching for bad passwords (to restrict brute forcing of passwords) in a window of more than 15 minutes instead doesn't watch for bad passwords at all.
Mitigation: Bad password lockout is not configured by default, it is only effective if a threshold has been set with (eg): samba-tool domain passwordsettings set --account-lockout-threshold=3 To mitigate the issue set a shorter 'Reset account lockout after' window (the ineffective default is 30, anything less than 15 will work): samba-tool domain passwordsettings set --reset-account-lockout-after=15 NOTE: If a fine-grained password policy (PSO) is set, this must also be done on each PSO.
External Reference: https://www.samba.org/samba/security/CVE-2018-16857.html
Acknowledgments: Name: the Samba project Upstream: Isaac Boukris
Created samba tracking bugs for this issue: Affects: fedora-all [bug 1654095]
Statement: This flaw does not affect the version of samba shipped with Red Hat Enterprise Linux because there is no support for samba as Active Directory Domain Controller.