SECURITY: password replication onto RODCs

Andrew Bartlett abartlet at samba.org
Sun Dec 1 13:48:52 MST 2013 

On Fri, 2013-11-29 at 12:35 -0500, Michael Brown wrote:
> I just accidentally loaded password credentials for the ENTIRE DOMAIN 
> onto my RODC.
> 
> Samba RODCs are: sernet-samba-4.1.2-7.suse111
> Windows DCs are: Windows 2008R2, updated as of 2013-11-12.
> 
> I was attempting to try some things to get rid of these replication 
> errors which have been there since day one:
> 
> Nov 29 11:45:34 sles-bree samba[9723]: [2013/11/29 11:45:34.287073, 0] 
> ../source4/dsdb/repl/replicated_objects.c:783(dsdb_replicated_objects_commit)
> Nov 29 11:45:34 sles-bree samba[9723]: Failed to apply records: Conflict 
> adding object 
> 'DC=6b51956f-604c-41a4-8366-6fb31664f468,DC=_msdcs.main.adlab.netdirect.ca,CN=MicrosoftDNS,DC=ForestDnsZones,DC=main,DC=adlab,DC=netdirect,DC=ca' 
> from incoming replication as we are read only for the partition.
> Nov 29 11:45:34 sles-bree samba[9723]: - We must fail the operation 
> until a master for this partition resolves the conflict: Entry already 
> exists
> Nov 29 11:45:34 sles-bree samba[9723]: [2013/11/29 11:45:34.287700, 0] 
> ../source4/dsdb/repl/drepl_out_helpers.c:725(dreplsrv_op_pull_source_apply_changes_trigger)
> Nov 29 11:45:34 sles-bree samba[9723]: Failed to commit objects: 
> WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
> Nov 29 11:45:34 sles-bree samba[9723]: [2013/11/29 11:45:34.533380, 0] 
> ../source4/dsdb/repl/replicated_objects.c:783(dsdb_replicated_objects_commit)
> Nov 29 11:45:34 sles-bree samba[9723]: Failed to apply records: Conflict 
> adding object 
> 'DC=_kerberos._tcp.Shire._sites,DC=main.adlab.netdirect.ca,CN=MicrosoftDNS,DC=DomainDnsZones,DC=main,DC=adlab,DC=netdirect,DC=ca' 
> from incoming replication as we are read only for the partition.
> Nov 29 11:45:34 sles-bree samba[9723]: - We must fail the operation 
> until a master for this partition resolves the conflict: Entry already 
> exists
> Nov 29 11:45:34 sles-bree samba[9723]: [2013/11/29 11:45:34.533773, 0] 
> ../source4/dsdb/repl/drepl_out_helpers.c:725(dreplsrv_op_pull_source_apply_changes_trigger)
> Nov 29 11:45:34 sles-bree samba[9723]: Failed to commit objects: 
> WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
> 
> and I ran the following command with a Domain Administrator ticket:
> michael at sles-bree:~> samba-tool drs replicate 
> sles-bree.main.adlab.netdirect.ca ad1.main.adlab.netdirect.ca 
> DC=main,DC=adlab,DC=netdirect,DC=ca -k yes --full-sync --sync-forced
> 
> This caused a full re-replication of the partition, including the 
> credentials for ALL ACCOUNTS IN THE DOMAIN (I verified with tdbdump).
> 
> Oops.
> 
> I can also replicate a user who is explicitly denied by using a domain 
> administrator ticket:
> sles-shire:/home/michael # samba-tool rodc preload administrator 
> --server ad1.main.adlab.netdirect.ca -k yes
> Replicating DN CN=Administrator,CN=Users,DC=main,DC=adlab,DC=netdirect,DC=ca
> Exop on[CN=Administrator,CN=Users,DC=main,DC=adlab,DC=netdirect,DC=ca] 
> objects[1] linked_values[3]
> 
> Windows *understands* that the password is being replicated to the RODC 
> for an explicitly denied account and still permits it:
> http://i.imgur.com/f9qDS2y.png
> 
> I'm not sure if it's the Windows DC's job to enforce the RODC password 
> replication policy or the RODC's job. It *SHOULD* be the DC's job!

It's the DC's job, and it relies on the security token of the connecting
account.  To rely on the destination DSA would just open up a different
security hole (if that was the only arbiter, as it could be faked), or
require that this also be checked, which would break replicating as an
administrator.

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list