[Samba] Client Uses Impostor DC

David Bear dwbear75 at gmail.com
Sat Jul 26 22:19:32 MDT 2014 

Yes, rogue dhcp server -- are a major security issue. And if you have cisco
switches (maybe others have this ability) you can set up a denial on
whatever port the switch detects the rogue dhcp service. there are dhcp
snooping and dhcp trust options.  I'm not aware of a 'software' solution to
this that would not somehow be married to your layer 3 switching
infrastructure.



On Thu, Jul 24, 2014 at 11:29 AM, Gregory Sloop <gregs at sloop.net> wrote:

> BC> Are there any preventative measures we
> BC> could take with either the Ubuntu 10.04/Samba 3.4.7 client or with
> BC> the DCs to prevent this issue from happening again if a
> BC> counterfeit DC were ever to be placed on our network again?
>
> In a word, No.
>
> If you allow someone physically connected to your network to setup a(n)
> DNS/DHCP/DC server, there's really nothing you can do to prevent the
> predictable havoc that will ensue.
>
> Clients "find" the correct DC to contact to attempt authentication via
> DNS. If DNS is whacked, then all bets are off. If a DHCP server is running
> rogue and handing out bad addresses and options [namely DNS servers] then
> you can't "fix" that.
>
> There's no security issue, since the clients will be attempting to contact
> the "bogus" DC with the PKI they used to generate the trust relationship
> with the "real" DC, and so the communication/authentication will simply
> fail.
>
> So, you simply have to have ways to prevent/detect/neuter people who setup
> rogue services on your network, with DNS being one of the most critical. [I
> tend to recommend the neuter option - as in castrate or spay.]
>
> ---
> While there's to many variables to guess at, I'd guess the "problem" DC
> clients got bad DNS servers via the bad DHCP server, and from that point
> on, nothing worked. The machines still working got DHCP leases from the
> "good" DHCP server, along with the good DNS servers, and they worked fine.
>
> But unless you happened to gather a lot of data we can examine
> posthumously, we're all guessing at exactly what happened. And frankly the
> exact details really don't matter. Rogue DHCP/DNS servers are going to
> break a lot of stuff, and there's not a lot you can do about it, other than
> stopping such things from happening.
>
>
> -Greg
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



-- 
David Bear
mobile: (602) 903-6476

More information about the samba mailing list