[Samba] Client Uses Impostor DC

[Gregory Sloop]

BC> Are there any preventative measures we
BC> could take with either the Ubuntu 10.04/Samba 3.4.7 client or with
BC> the DCs to prevent this issue from happening again if a
BC> counterfeit DC were ever to be placed on our network again? 

In a word, No.

If you allow someone physically connected to your network to setup a(n) DNS/DHCP/DC server, there's really nothing you can do to prevent the predictable havoc that will ensue.

Clients "find" the correct DC to contact to attempt authentication via DNS. If DNS is whacked, then all bets are off. If a DHCP server is running rogue and handing out bad addresses and options [namely DNS servers] then you can't "fix" that.

There's no security issue, since the clients will be attempting to contact the "bogus" DC with the PKI they used to generate the trust relationship with the "real" DC, and so the communication/authentication will simply fail. 

So, you simply have to have ways to prevent/detect/neuter people who setup rogue services on your network, with DNS being one of the most critical. [I tend to recommend the neuter option - as in castrate or spay.]

---
While there's to many variables to guess at, I'd guess the "problem" DC clients got bad DNS servers via the bad DHCP server, and from that point on, nothing worked. The machines still working got DHCP leases from the "good" DHCP server, along with the good DNS servers, and they worked fine.

But unless you happened to gather a lot of data we can examine posthumously, we're all guessing at exactly what happened. And frankly the exact details really don't matter. Rogue DHCP/DNS servers are going to break a lot of stuff, and there's not a lot you can do about it, other than stopping such things from happening.


-Greg