Not quite right.
You must be on the same network as the client connecting to the AD-DC, but you don't need to be able to sniff any traffic, just be able to spoof the client to connect to you instead of the correct DC.
It's the first protocol-level bug in DCE RPC I'm aware of, and Metze did an amazing job both finding it, working out the implications and creating the required fixes for this. Also many other engineers put in long
Not gonna comment on the "badlock" website, only that it wasn't a Samba Team activity.