Samba from version 4.9.0 and before version 4.9.3 that have AD DC
configurations watching for bad passwords (to restrict brute forcing of
passwords) in a window of more than 3 minutes may not watch for bad
passwords at all. The primary risk from this issue is with regards to
domains that have been upgraded from Samba 4.8 and earlier. In these cases
the manual testing done to confirm an organisation's password policies
apply as expected may not have been re-done after the upgrade.
mdeslaur4.9.x only
Source: samba (LP Ubuntu Debian)
Upstream:released (4.9.3)
Ubuntu 12.04 ESM (Precise Pangolin):not-affected
Ubuntu 14.04 ESM (Trusty Tahr):not-affected
Ubuntu 16.04 LTS (Xenial Xerus):not-affected
Ubuntu 18.04 LTS (Bionic Beaver):not-affected
More Information

Updated: 2020-09-10 05:54:21 UTC (commit 81a23a978c4436cd99e1d040e9e73e9146876281)