SECURITY: password replication onto RODCs

Michael Brown michael at netdirect.ca
Mon Dec 2 09:14:43 MST 2013 

On 13-12-01 04:18 PM, Andrew Bartlett wrote:
> On Fri, 2013-11-29 at 12:35 -0500, Michael Brown wrote:
>> Anyways... is there a quick and easy way to purge credentials from
>> the
>> RODC replica?
> No.  Even if you deleted the database and re-replicated, it could still
> be recovered from the disk.  The passwords have been 'exposed'.
>
> I suggest wiping the disk, if you are worried.
This is my lab, so I'm not concerned. But it was entirely accidental and 
there didn't seem to be a way to re-replicate otherwise.

We should perhaps put something in place to protect the administrator 
from this error :)

I did find http://msdn.microsoft.com/en-us/library/cc223850.aspx but 
samba doesn't implement it yet.

Perhaps I'll look into implementing that to get my feet wet.

On 13-12-01 03:48 PM, Andrew Bartlett wrote:
> It's the DC's job, and it relies on the security token of the connecting
> account.  To rely on the destination DSA would just open up a different
> security hole (if that was the only arbiter, as it could be faked), or
> require that this also be checked, which would break replicating as an
> administrator.
I tried:
* calling the command as root (no kerberos)
* calling the command as a normal domain user (kerberos)
* calling the command as a delegated administrator (kerberos)
and each time got rejected by samba. (DsReplicaSync refused for security 
token (level=10))

The RODC insists on having at least a SECURITY_DOMAIN_CONTROLLER account 
make this request. So at the moment there's no way to "safely" 
re-replicate. Perhaps if we're *on* a RODC, we could relax that to 
SECURITY_RO_DOMAIN_CONTROLLER?

In either case, I would have expected that any account could make the 
*request* to samba, but then for samba to use it's own account to 
request the replica sync from the DC. Is there a reason to not do this?

M.

-- 
Michael Brown               | `One of the main causes of the fall of
Systems Consultant          | the Roman Empire was that, lacking zero,
Net Direct Inc.             | they had no way to indicate successful
☎: +1 519 883 1172 x5106    | termination of their C programs.' - Firth

More information about the samba-technical mailing list