Andrew Bartlett in samba bug:

To answer the questions that will come up:

In short, the issue is a bypass of mutual authentication.

 - The biggest impact of this is on the AD DC, because of the risk to DRS replication 
 - If your samba is built using MIT Kerberos, upstream Heimdal advisory says:
   "The MIT implementation is not vulnerable, and looking through its version history, never had been. "
 - If you or your distributor built with --with-system-mitkrb5 then the above applies.

Marcus, for the sake of completeness: Do we build with mitkrb5?

    ====================================================================
    == Subject:     Orpheus' Lyre mutual authentication validation bypass
    ==
    == CVE ID#:     CVE-2017-11103 (Heimdal)
    ==
    == Versions:    All versions of Samba from 4.0.0 onwards using
    ==              embedded Heimdal Kerberos.
    ==
    ==              Samba binaries built against MIT Kerberos are not
    ==              vulnerable.
    ==
    == Summary:     A MITM attacker may impersonate a trusted server
    ==              and thus gain elevated access to the domain by
    ==              returning malicious replication or authorization data.
    ==
    ====================================================================

    ===========
    Description
    ===========

    All versions of Samba from 4.0.0 include an embedded copy of Heimdal
    Kerberos.  Heimdal has made a security release, which disclosed:

    Fix CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation

       This is a critical vulnerability.

       In _krb5_extract_ticket() the KDC-REP service name must be obtained from
       encrypted version stored in 'enc_part' instead of the unencrypted version
       stored in 'ticket'.  Use of the unecrypted version provides an
       opportunity for successful server impersonation and other attacks.

       Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.

       See https://www.orpheus-lyre.info/ for more details.

    The impact for Samba is particularly strong for cases where the Samba
    DRS replication service contacts another DC requesting replication
    of user passwords, as these could then be controlled by the attacker.

    ==================
    Patch Availability
    ==================

    A patch addressing this defect has been posted to

      http://www.samba.org/samba/security/

    Additionally, Samba 4.6.6, 4.5.12 and 4.4.15 have been issued as
    security releases to correct the defect. Patches against older Samba
    versions are available at http://samba.org/samba/patches/. Samba
    vendors and administrators running affected versions linked against
    the embedded Heimdal Kerberos are advised to upgrade or apply the
    patch as soon as possible.

    ==========
    Workaround
    ==========

    Samba versions built against MIT Kerberos are not impacted.  Unless
    you are running Samba as an AD DC, then rebuild samba using:

     ./configure --with-system-mitkrb5.

    =======
    Credits
    =======

    This problem was identified in Heimdal by Jeffrey Altman, Viktor
    Duchovni and Nico Williams.

    Andrew Bartlett, Garming Sam and Bob Campbell of Catalyst and the
    Samba Team ported the fix to Samba and wrote this advisory.

All our samba 4 packages build with system krb5 as far as I see.

(In reply to Marcus Meissner from comment #4)
> All our samba 4 packages build with system krb5 as far as I see.

Yeah, we build with mit krb5.

is public

--- Comment #27 from Andrew Bartlett <abartlet@samba.org> ---
To be clear, this was released yesterday, no embargo.  We do apologise to our
downstream users and distributors for the lack of notice this time.

https://www.samba.org/samba/security/CVE-2017-11103.html

and (eg)
https://www.samba.org/samba/history/samba-4.6.6.html

Official packages from SuSE, RHEL and Fedora are not impacted, as they all use
MIT Kerberos.  I'm personally working with Debian to help push out updated
packages. 

Fixed in master with 3799a32e41134a2dff797ebeacf5abdb8d332e6e for Samba 4.7,
plus new releases were made 4.7rc2, 4.6.6, 4.5.12 and 4.4.15.

(In reply to Marcus Meissner from comment #7)
...
> Fixed in master with 3799a32e41134a2dff797ebeacf5abdb8d332e6e for Samba 4.7,
> plus new releases were made 4.7rc2, 4.6.6, 4.5.12 and 4.4.15.

Although this doesn't affect us, I'm going to merge the fix into SLE12SP3 / oS Factory along with the fix for bsc#1048790.

This is an autogenerated message for OBS integration:
This bug (1048278) was mentioned in
https://build.opensuse.org/request/show/512298 Factory / samba

openSUSE-SU-2017:2180-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1048278
CVE References: CVE-2017-11103,CVE-2017-6594
Sources used:
openSUSE Leap 42.3 (src):    libheimdal-7.4.0-3.1
openSUSE Leap 42.2 (src):    libheimdal-7.4.0-2.3.1

SUSE-SU-2017:2237-1: An update that solves one vulnerability and has 6 fixes is now available.

Category: security (important)
Bug References: 1048278,1048339,1048352,1048387,1048790,1052577,1054017
CVE References: CVE-2017-11103
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    samba-4.6.7+git.38.90b2cdb4f22-3.7.1
SUSE Linux Enterprise Server 12-SP3 (src):    samba-4.6.7+git.38.90b2cdb4f22-3.7.1
SUSE Linux Enterprise High Availability 12-SP3 (src):    resource-agents-4.0.1+git.1495055229.643177f1-2.4.2, samba-4.6.7+git.38.90b2cdb4f22-3.7.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    samba-4.6.7+git.38.90b2cdb4f22-3.7.1

openSUSE-SU-2017:2311-1: An update that solves one vulnerability and has 6 fixes is now available.

Category: security (important)
Bug References: 1048278,1048339,1048352,1048387,1048790,1052577,1054017
CVE References: CVE-2017-11103
Sources used:
openSUSE Leap 42.3 (src):    resource-agents-4.0.1+git.1495055229.643177f1-3.1, samba-4.6.7+git.38.90b2cdb4f22-3.1