SECURITY: password replication onto RODCs
Michael Brown
michael at netdirect.ca
Mon Dec 2 09:14:43 MST 2013
On 13-12-01 04:18 PM, Andrew Bartlett wrote:
> On Fri, 2013-11-29 at 12:35 -0500, Michael Brown wrote:
>> Anyways... is there a quick and easy way to purge credentials from
>> the
>> RODC replica?
> No. Even if you deleted the database and re-replicated, it could still
> be recovered from the disk. The passwords have been 'exposed'.
>
> I suggest wiping the disk, if you are worried.
This is my lab, so I'm not concerned. But it was entirely accidental and
there didn't seem to be a way to re-replicate otherwise.
We should perhaps put something in place to protect the administrator
from this error :)
I did find http://msdn.microsoft.com/en-us/library/cc223850.aspx but
samba doesn't implement it yet.
Perhaps I'll look into implementing that to get my feet wet.
On 13-12-01 03:48 PM, Andrew Bartlett wrote:
> It's the DC's job, and it relies on the security token of the connecting
> account. To rely on the destination DSA would just open up a different
> security hole (if that was the only arbiter, as it could be faked), or
> require that this also be checked, which would break replicating as an
> administrator.
I tried:
* calling the command as root (no kerberos)
* calling the command as a normal domain user (kerberos)
* calling the command as a delegated administrator (kerberos)
and each time got rejected by samba. (DsReplicaSync refused for security
token (level=10))
The RODC insists on having at least a SECURITY_DOMAIN_CONTROLLER account
make this request. So at the moment there's no way to "safely"
re-replicate. Perhaps if we're *on* a RODC, we could relax that to
SECURITY_RO_DOMAIN_CONTROLLER?
In either case, I would have expected that any account could make the
*request* to samba, but then for samba to use it's own account to
request the replica sync from the DC. Is there a reason to not do this?
M.
--
Michael Brown | `One of the main causes of the fall of
Systems Consultant | the Roman Empire was that, lacking zero,
Net Direct Inc. | they had no way to indicate successful
☎: +1 519 883 1172 x5106 | termination of their C programs.' - Firth
More information about the samba-technical
mailing list