The long road to a fix for CVE-2021-20316

Technically, it depends on your threat model. If you know that attackers cannot create symlinks (for example, because you've patched Samba to disallow this operation, and you don't give untrusted users local shell access), then in principle there is no security hole. But I doubt that distros can make that kind of guarantee with respect to end user deployments.

Nevertheless, if you're an IT department deploying Samba on e.g. a NAS, you probably *can* make that sort of guarantee. I'm not saying this is a good idea, however.