NT Domain DoS and Security Exploit with SAMBA Server
cartegw at Eng.Auburn.EDU
Wed Mar 3 04:42:15 GMT 1999
Paul L Schmehl wrote:
> password server=[hostname of PDC]
> domain controller=[hostname of PDC]
This is a boolean parameter in the current code (and obselete
I might add)
> domain logons=yes
> domain logons will fail if the PDC is rebooted while the
> SAMBA server is still running. We haven't yet determined
> *why* this is happening, but we can tell you *what* is
If you set the workgroup to be the same as the domain of
the NT PDC you are referring to, Samba will attempt to
register the workgroup<1b> record (due to domain logons being
enabled). Windows clients use this to locate the DC for their
> database, but it *does* appear in Server Manager, and
> reports itself as a Windows NT 4.2 Server. After some period
> of time (which appears to be random, but less than 24 hours)
> it begins to report itself as a BDC (Windows NT 4.2 Backup.)
The annouce as in Samba 2.0.3 allows you to advertise as a
workstation although the default is still to advertise as a
The moral is to not enable domain logons if you have an
existing DC. You don't try to run to PDC's concurrently.
> Microsoft's Security Response team has looked at this
> issue and determined that it cannot be addressed in NT 4.0
> due to the insecure nature of WINS and NTLM.
correct. The problem is the dynamic nature in which NetBIOS
names are registered and released. It is insecure.
> We then wrote a program spoofing the Windows Logon
> screen, popped up an error message that essentially said
> "your logon had failed, please reenter your username/password"
> and were able to get users to enter their username/password
> combo into our program, which wrote them to a text file
> on the SAMBA server.
Don't get this. So you wrote a mimic program. Not sure how
this relates. Could do this without Samba.
Again, just to clarify,
* why are you trying to bring up to DC's (Samba and NT)?
* Assuming that you a meaning that anyone on the network
can do this, I agree it can disrupt service, but is not
specific to Samba. Imagine this scenario,
- I install a Windows NT Server as a PDC off the
network in your domain.
- Then I connect it to the network.
- it will also attempt to take over, right?
What's the difference? The problem appears to be
netbios name resolutions and regostration and not
Samba. Aplogies if I misunderstood you post.
Comments and corrections always welcome.
Gerald ( Jerry ) Carter
Engineering Network Services Auburn University
jerry at eng.auburn.edu http://www.eng.auburn.edu/users/cartegw
"...a hundred billion castaways looking for a home."
- Sting "Message in a Bottle" ( 1979 )
More information about the samba-technical