Samba project developers
The essence of the vulnerability is that the MS-NRPC (Netlogon Remote Protocol) protocol allows, when exchanging authentication data, to fall back to using an RPC connection without encryption. An attacker can then use a flaw in the AES-CFB8 algorithm to fake (spoof) a successful login. It takes an average of 256 spoofing attempts to log in as an administrator. The attack does not require a work account on the domain controller - spoofing attempts can be made using an incorrect password. The NTLM authentication request will be redirected to the domain controller, which will return an access denied, but an attacker can spoof this response, and the attacked system will consider the login successful.
In Samba, the vulnerability appears only on systems that do not use the "server schannel = yes" setting, which is the default since Samba 4.8. In particular, systems with βserver schannel = noβ and βserver schannel = autoβ settings can be compromised, which allow Samba to use the same flaws in the AES-CFB8 algorithm as in Windows.
When using a Windows-prepared reference
Source: opennet.ru