Samba has no special protection against addition of a sidHistory attribute during an LDAP ADD. Thankfully Samba also does not honour this attribute, but Windows does and a future Samba version might. We should work out how Windows protects sidHistory and include that in Samba, Windows 2019 gives: LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00000005: SecErr: DSID-031A11B9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Fixed by a patch in bug 14778
A top level bug 14564 / CVE-2020-25722 will be used for these related issues.
Opening this sub-bug up to vendors.
This bug was referenced in samba v4-15-stable (Release samba-4.15.2): 65973d2efd4b27d564cb673bb6d349e8b5e0527e 07aef1e648d0b7464739647063ccb207061674d4 53de95a1f6a4a591c1bd8e470f39ecd34ac59099 e353a62513a2a5ca292dccbb79e3aff9f7190615
This bug was referenced in samba v4-14-stable (Release samba-4.14.10): 6bdda2d93ed49a07014a132a83f3a63efb332387 e90034d9182cd5936f92d70ab3804df8ec260d63 762ef653b9dabd0f1dd565444d05b709e0d32c32 80ff13f19c0d9cf37c5d54384939635d4ba8f78d
This bug was referenced in samba v4-13-stable (Release samba-4.13.14): d82cba0d8c796a140c52da72f5cbf10ca0e1de5a 448585950bda2c1daab8ffeb3971870ed0416634 20e466c13690600519511e45b0c72ed7987d2575 cc9259de55839ea145c0db1701817c743143568f
This bug was referenced in samba v4-15-test: 65973d2efd4b27d564cb673bb6d349e8b5e0527e 07aef1e648d0b7464739647063ccb207061674d4 53de95a1f6a4a591c1bd8e470f39ecd34ac59099 e353a62513a2a5ca292dccbb79e3aff9f7190615
This bug was referenced in samba v4-14-test: 6bdda2d93ed49a07014a132a83f3a63efb332387 e90034d9182cd5936f92d70ab3804df8ec260d63 762ef653b9dabd0f1dd565444d05b709e0d32c32 80ff13f19c0d9cf37c5d54384939635d4ba8f78d
This bug was referenced in samba v4-13-test: d82cba0d8c796a140c52da72f5cbf10ca0e1de5a 448585950bda2c1daab8ffeb3971870ed0416634 20e466c13690600519511e45b0c72ed7987d2575 cc9259de55839ea145c0db1701817c743143568f
This bug was referenced in samba master: 93e5902369c22d625fa2e48b3eafe043dc17e3ba f478aecc45efb56868bc7cec216f33e5db7ccf18 2bdff65b333365740e5e9c8c2b2fc176323f5108 dc08915834a8beed960328a62ecea88aa95f941d
The patches addressing this issue have been pushed to master and security releases made.