Re: an old commit connected the two subsystems together,
Yes I am fully aware of these restrictions and the reasons for them, and Samba follows these in all of our internal library code. Plugins are only loaded from $SAMBA_INSTALL_BASE_DIR/lib/<subsystem_name>/plugin_name.so where <subsystem_name> is hard coded at compile time.
The bug occurred because this was connected to the RPC subsystem, which originally had a hard-coded list of acceptable plugin names (that's why the pre-3.5.0 code is not vulnerable), but this was relaxed for 3.5.0 and above - which was a big mistake. We will be correcting that in future releases, but due to the severity of the problem and immediacy of the threat we decided we had to go with the minimal secure patch for the CVE release.