For those who were hit by this as I was. Samba is being updated in Debian 9 and the Debian 8 security backports because of a recently disclosed bug in Heimdal (a Kerberos implementation) that affects Samba.
The Debian bug where you can read more about this is #868209, and the Heimdal bug is CVE-2017-11103. Yes, it has a silly name, and its own domain name already, and an annoying WWW page that auto-plays music. One of *those* bugs. (-: People have already opened a Debian bug for the problems caused by at least two problematic package dependencies in the newly published Samba packages, that mean that people cannot upgrade, and cannot reinstall, Samba. That Debian bug is #868353 ("samba-libs dependencies broken in jessie debian-security repo"). There is additional information in bug #868209 under "Samba security updates uninstallable due to broken dependency of python-talloc". As you can see, it is being worked on.