NT Domain DoS and Security Exploit with SAMBA Server

Gerald Carter cartegw at Eng.Auburn.EDU
Wed Mar 3 04:42:15 GMT 1999

Paul L Schmehl wrote:
> security=server
> password server=[hostname of PDC]
> domain controller=[hostname of PDC]

This is a boolean parameter in the current code (and obselete 
I might add)

> domain logons=yes
> domain logons will fail if the PDC is rebooted while the 
> SAMBA server is still running.  We haven't yet determined 
> *why* this is happening, but we can tell you *what* is 
> happening

If you set the workgroup to be the same as the domain of 
the NT PDC you are referring to, Samba will attempt to 
register the workgroup<1b> record (due to domain logons being 
enabled). Windows clients use this to locate the DC for their 

> database, but it *does* appear in Server Manager, and 
> reports itself as a Windows NT 4.2 Server.  After some period 
> of time (which appears to be random, but less than 24 hours) 
> it begins to report itself as a BDC (Windows NT 4.2 Backup.)

The annouce as in Samba 2.0.3 allows you to advertise as a 
workstation although the default is still to advertise as a 

The moral is to not enable domain logons if you have an 
existing DC.  You don't try to run to PDC's concurrently.
Same here

> Microsoft's Security Response team has looked at this 
> issue and determined that it cannot be addressed in NT 4.0 
> due to the insecure nature of WINS and NTLM.  

correct.  The problem is the dynamic nature in which NetBIOS 
names are registered and released.  It is insecure.

> We then wrote a program spoofing the Windows Logon 
> screen, popped up an error message that essentially said 
> "your logon had failed, please reenter your username/password" 
> and were able to get users to enter their username/password 
> combo into our program, which wrote them to a text file
> on the SAMBA server.  

Don't get this.  So you wrote a mimic program. Not sure how 
this relates.  Could do this without Samba.

Again, just to clarify, 

* why are you trying to bring up to DC's (Samba and NT)?

* Assuming that you a meaning that anyone on the network 
  can do this, I agree it can disrupt service, but is not 
  specific to Samba.  Imagine this scenario,

    - I install a Windows NT Server as a PDC off the 
      network in your domain. 
    - Then I connect it to the network.
    - it will also attempt to take over, right?

What's the difference?  The problem appears to be 
netbios name resolutions and regostration and not 
Samba.  Aplogies if I misunderstood you post.

Comments and corrections always welcome.
jerry carter
                            Gerald ( Jerry ) Carter	
Engineering Network Services                           Auburn University 
jerry at eng.auburn.edu             http://www.eng.auburn.edu/users/cartegw

       "...a hundred billion castaways looking for a home."
                                  - Sting "Message in a Bottle" ( 1979 )

More information about the samba-technical mailing list