== Subject:     Denial of service attack against Windows
==		Active Directory server.
== CVE ID#:     CVE-2015-8467
== Versions:    Samba 4.0.0 to 4.3.2
== Summary:     Samba can expose Windows DCs to MS15-096
==              Denial of service via the creation of multiple
==              machine accounts.
==              (The Microsoft issue is CVE-2015-2535)


Samba, operating as an AD DC, is sometimes operated in a domain with a
mix of Samba and Windows Active Directory Domain Controllers.

All versions of Samba from 4.0.0 to 4.3.2 inclusive, when deployed as
an AD DC in the same domain with Windows DCs, could be used to
override the protection against the MS15-096 / CVE-2015-2535 security
issue in Windows.

Prior to MS16-096 it was possible to bypass the quota of machine
accounts a non-administrative user could create.  Pure Samba domains
are not impacted, as Samba does not implement the
SeMachineAccountPrivilege functionality to allow non-administrator
users to create new computer objects.

Patch Availability

Patches addressing this defect have been posted to

Additionally, Samba 4.3.3, 4.2.7 and 4.1.22 have been issued as
security releases to correct the defect.
Samba vendors and administrators running affected versions as
an AD DC in combination with Windows AD DCs are advised to
pgrade or apply the patch as soon as possible.


Only users with SeMachineAccountPrivilege can exploit this issue in
Windows, removing this privilege from "Authenticated Users" can provide
a mitigation.


This problem was found by Andrew Bartlett <> of the
Samba Team and Catalyst (, who also provided the