As per upstream advisory: The S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authentication, by forcing all tickets for these clients to be non-forwardable. In AD this is implemented by a user attribute delegation_not_allowed (aka not-delegated), which translates to disallow-forwardable. However the Samba AD DC does not do that for S4U2Self and does set the forwardable flag even if the impersonated client has the not-delegated flag set. Note: while the experimental MIT AD-DC build does not support S4U, it should still be patched due to a related bug in regular authentication.
Acknowledgments: Name: the Samba project Upstream: Isaac Boukris (Red Hat and Samba Team)
Mitigation: Only clients configured directly in LDAP or via a Windows tools could have been marked as sensitive and so have been expected to have this protection. Therefore most Samba sites will not have been using this feature and so are not impacted either way.
Statement: This flaw does not affect the version of samba shipped with Red Hat Enterprise Linux because there is no support for samba as Active Directory Domain Controller.
External References: https://www.samba.org/samba/security/CVE-2019-14870.html
Created samba tracking bugs for this issue: Affects: fedora-all [bug 1781545]
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-14870