the 'winbind use default domain' option is both unloved and places domain usernames in the same namespace as local users. We need to check that an attacker with control over names in the samAccountName can't force a domain PAC-based kerberos ticket to map to a local user.
This codepath now closely mirrors the NTLM codepath so should now be secure in the security patch set. Opening this bug to vendors.
The PAC-based lookup for a username only looks up DOMAIN\user by default, which is always an alias even if 'winbind use default domain = yes' is set, so this isn't a problem now bug 14556 (CVE-2020-25717) is fixed