All versions of Samba from 4.0.0 include an embedded copy of Heimdal Kerberos. Heimdal has made a security release, which disclosed:
Fix CVE-2017-11103: Orpheusβ Lyre KDC-REP service name validation
This is a critical vulnerability.
In _krb5_extract_ticket() the KDC-REP service name must be obtained from encrypted version stored in βenc_partβ instead of the unencrypted version stored in βticketβ. Use of the unecrypted version provides an opportunity for successful server impersonation and other attacks.
Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.
See https://www.orpheus-lyre.info/ for more details.
The impact for Samba is particularly strong for cases where the Samba DRS replication service contacts another DC requesting replication of user passwords, as these could then be controlled by the attacker.