This is one aspect of bug 14556, that we attempt to operate on systems that do not run winbindd for NSS via string-based name mapping. This turns out to be quite dangerous in AD, even with the samAccountName inside the PAC to trust. This runs the risk that the DC could present us a username, inside the PAC, of "root" or other system users. We should not trust the AD DC that far - if we don't run winbindd we may well be in a situation where the AD DC is a central (eg university central IT) DC, but that authorization occurs locally (eg in a department). The expectation is that only locally created users can log in, but the ability for users to be named "root" is unexpected. However standard AD permissions allow rename of accounts by the user who created them, who may not be locally trusted. We could add a new smb.conf option "minimum domain UID" defaulting to 1000, to mark system users as off limits.
In this issue what I mean by "do not run winbindd for NSS" is that nss_winbind is not referenced in nsswitch.conf and users come from another LDAP or /etc/passwd
"min domain uid" is implemented in the security patch set. Opening this bug to vendors.
This bug was referenced in samba v4-15-stable (Release samba-4.15.2): af86793af77ab0dfe1c0a9740820c52b435d993d c1bf56f314667ee3c5399576a45b74346d4c7f2e a92da791615cd42ce28c679aba1c18a1ef2b5eb8 210b3e36f76d7251714aa48af2319496b907db11 1ec930b2f584ef012cd84d3d7ae265719de1b878 325942e4e78cccac5456a831375b881d5f80b4c0 e40a1d46831be8b6125b76b511bb24582e8a13e9 651b74b12b9d995f442fd02e90ca0a1ce12d4a52 39b060eeea6d364c7b7b575fda7a6877ce6e2a9a 58a1cc488ce20f7cd3c9013e9b8ec3163a25075e 3efb9d684d957f0e08c4fd537b0916b02cb73ceb e4172baf12205881098e42e502b0fc8d961e6601 7b9920b382ac57b045e46fa113a9c4a9da782b68 093c5502ab41f068dbc222854caf9cca14d4c157 fb5ca61f54412dcf24c4f20dd1dd4639838fbfab 9cb158a9a53de11a7f0959d30be28b9f09b41469
This bug was referenced in samba v4-13-stable (Release samba-4.13.14): d7a295b97e4321e9e98b3ff61b8bfb1250ff672e 2966b61522e05753ad1c6f10d1b573576afc4b15 b9d8f8025b7122cab64c37e5042866c66b556016 37c2f73cc958003fbba479d6d4d7c003f5d88fd6 eea64478862bc5bffea84f0eb78bf541620293fb c703f7a5642174d0e52aec91a6817d5cc56f47ab ce47a81eb5f79dd3f54b300f6a9a7ccac9c1296a 885fe6e31b107b3a6362cde0785e6d886888e0ec d079628a43f845522598be7efa0abf5e478549c6 844faf2f0ac5d21d65f452fb6f4d1b19bb0a2be2 b0031f531850e6cd4e674be45da54307f3e4360b e8e0bea9b333315ec1ff9eb1d36d4e810ca95941 39cf01d0d26608065dc071d58fea4cfd8d51bf02 eba5e1321830624e6e42d248616f651beb0d3b99 e95392aa08f3cc421998648c584af5bab89e4ad6 9f73360e17d1e519d25cb4b60d7506fca9fd02fe 131d5ceb9deaaa1d8dd478a9b2e2556133c511aa
This bug was referenced in samba v4-15-test: af86793af77ab0dfe1c0a9740820c52b435d993d c1bf56f314667ee3c5399576a45b74346d4c7f2e a92da791615cd42ce28c679aba1c18a1ef2b5eb8 210b3e36f76d7251714aa48af2319496b907db11 1ec930b2f584ef012cd84d3d7ae265719de1b878 325942e4e78cccac5456a831375b881d5f80b4c0 e40a1d46831be8b6125b76b511bb24582e8a13e9 651b74b12b9d995f442fd02e90ca0a1ce12d4a52 39b060eeea6d364c7b7b575fda7a6877ce6e2a9a 58a1cc488ce20f7cd3c9013e9b8ec3163a25075e 3efb9d684d957f0e08c4fd537b0916b02cb73ceb e4172baf12205881098e42e502b0fc8d961e6601 7b9920b382ac57b045e46fa113a9c4a9da782b68 093c5502ab41f068dbc222854caf9cca14d4c157 fb5ca61f54412dcf24c4f20dd1dd4639838fbfab 9cb158a9a53de11a7f0959d30be28b9f09b41469
This bug was referenced in samba v4-14-stable (Release samba-4.14.10): 5a5b1a06d6de8d1ffb4b1db4a7f575d8b1c168c2 e31b6f6094403d1186835af4e8385e988c19a4e5 adb6620043d4113a350ea24369f00246ea6410d4 e43275fc182c6bc39faf71ac4c007c71013b4748 7ca428223f522bd959be8e564432afcf5ea37ed8 a624a73ce46bbca579411a26581394ea72ae9d09 39c834af93813c736d002a0669fdf01dfc2e5241 8aeac144220949bb4a9c2fb5aacfead6133f9ed9 c3c49ceeb7991f9851e616a901e2f601ff796c3e 6280d99de7d0f761842a5ab37a6253aefa237344 9c66eacf637bc25e7720ba0d2b2f9763639f6e8c cc1c47f1679b85c8860b2ee05c3f45b7b667ccef c219b832d96b582aa5b81f0cec31ab432d6469e4 151b6145e1c0cb360b088dfc4e41982854fc2c9d f2aafe556290e9944cc03146084e8f3991fcd06b 3cceba46aa5e93d65d529f4ec76fa19fe17244c6 e5f10558e0861fe16eee40485c5b520b039f0d24
This bug was referenced in samba v4-13-test: d7a295b97e4321e9e98b3ff61b8bfb1250ff672e 2966b61522e05753ad1c6f10d1b573576afc4b15 b9d8f8025b7122cab64c37e5042866c66b556016 37c2f73cc958003fbba479d6d4d7c003f5d88fd6 eea64478862bc5bffea84f0eb78bf541620293fb c703f7a5642174d0e52aec91a6817d5cc56f47ab ce47a81eb5f79dd3f54b300f6a9a7ccac9c1296a 885fe6e31b107b3a6362cde0785e6d886888e0ec d079628a43f845522598be7efa0abf5e478549c6 844faf2f0ac5d21d65f452fb6f4d1b19bb0a2be2 b0031f531850e6cd4e674be45da54307f3e4360b e8e0bea9b333315ec1ff9eb1d36d4e810ca95941 39cf01d0d26608065dc071d58fea4cfd8d51bf02 eba5e1321830624e6e42d248616f651beb0d3b99 e95392aa08f3cc421998648c584af5bab89e4ad6 9f73360e17d1e519d25cb4b60d7506fca9fd02fe 131d5ceb9deaaa1d8dd478a9b2e2556133c511aa
This bug was referenced in samba v4-14-test: 5a5b1a06d6de8d1ffb4b1db4a7f575d8b1c168c2 e31b6f6094403d1186835af4e8385e988c19a4e5 adb6620043d4113a350ea24369f00246ea6410d4 e43275fc182c6bc39faf71ac4c007c71013b4748 7ca428223f522bd959be8e564432afcf5ea37ed8 a624a73ce46bbca579411a26581394ea72ae9d09 39c834af93813c736d002a0669fdf01dfc2e5241 8aeac144220949bb4a9c2fb5aacfead6133f9ed9 c3c49ceeb7991f9851e616a901e2f601ff796c3e 6280d99de7d0f761842a5ab37a6253aefa237344 9c66eacf637bc25e7720ba0d2b2f9763639f6e8c cc1c47f1679b85c8860b2ee05c3f45b7b667ccef c219b832d96b582aa5b81f0cec31ab432d6469e4 151b6145e1c0cb360b088dfc4e41982854fc2c9d f2aafe556290e9944cc03146084e8f3991fcd06b 3cceba46aa5e93d65d529f4ec76fa19fe17244c6 e5f10558e0861fe16eee40485c5b520b039f0d24
This bug was referenced in samba master: 9fe1b719e1b35ae4053cbb13f29f76f4b2f950ef b39b698cdac9ef97d018d6f02d59493ec5bff6e6 6771b2f211f6f5ae08d94a75afb7c6109f65497d 14b9f905da196e4e1904e4d4b0dec6192e76ab61 97d54027910b7d3fa04bd6c1b72448a85cdf5d7c 4b78ad7346c7128142a65ce6d6625d3d28116882 28fae9c2215698e465201b6ad27eb9eeb55c906a dd0423bfbbce2d9f1f8a62c21cf612e5c755b616 8f79ee99a6a3390ccb409ac1b5f543488e7bd784 52190982de134fb55abce76def0609651e45012e 57abb7f8f8884f52f1d194c5c74e067aecd0d3dd e2d5b4d709293b52112d078d6fcde95593d790c5 e2d271cb6bcd292f786664f055cde41c32002804 935feff8e54cef9b379f653a3198a5bbd3a64989 bd8d06ff155fb831cd8d487eabfbc69743d12252 c4ddf939e0ee2b9ae1af8b2ff8344fc9c7118adf
The patches addressing this issue have been pushed to master and security releases made.