SECURITY: password replication onto RODCs

Andrew Bartlett abartlet at
Mon Dec 2 14:25:21 MST 2013

On Mon, 2013-12-02 at 11:14 -0500, Michael Brown wrote:
> On 13-12-01 04:18 PM, Andrew Bartlett wrote:
> > On Fri, 2013-11-29 at 12:35 -0500, Michael Brown wrote:
> > > Anyways... is there a quick and easy way to purge credentials from
> > > the 
> > > RODC replica?
> > No.  Even if you deleted the database and re-replicated, it could still
> > be recovered from the disk.  The passwords have been 'exposed'.
> > 
> > I suggest wiping the disk, if you are worried.
> This is my lab, so I'm not concerned. But it was entirely accidental
> and there didn't seem to be a way to re-replicate otherwise.

Just re-join the machine to the domain then.

> We should perhaps put something in place to protect the administrator
> from this error :)
> I did find but
> samba doesn't implement it yet. 
> Perhaps I'll look into implementing that to get my feet wet.

It's a very interesting control.  Clearly written for exactly the
situation you have, but with that same flaw - once disclosed, no amount
of 'please forget you knew that' really makes any difference.  The only
real secure choice is to change the secrets so disclosed. 

> On 13-12-01 03:48 PM, Andrew Bartlett wrote: 
> > It's the DC's job, and it relies on the security token of the connecting
> > account.  To rely on the destination DSA would just open up a different
> > security hole (if that was the only arbiter, as it could be faked), or
> > require that this also be checked, which would break replicating as an
> > administrator.
> I tried:
> * calling the command as root (no kerberos)
> * calling the command as a normal domain user (kerberos)
> * calling the command as a delegated administrator (kerberos)
> and each time got rejected by samba. (DsReplicaSync refused for
> security token (level=10))
> The RODC insists on having at least a SECURITY_DOMAIN_CONTROLLER
> account make this request. So at the moment there's no way to "safely"
> re-replicate. Perhaps if we're *on* a RODC, we could relax that to
> In either case, I would have expected that any account could make the
> *request* to samba, but then for samba to use it's own account to
> request the replica sync from the DC. Is there a reason to not do
> this?

Are you sure you didn't specify --local?

Without that, we really should have used the RODC machine account,
because we just poke the local DC to ask it to do a replication, on it's
own behalf. 

Andrew Bartlett
Andrew Bartlett
Authentication Developer, Samba Team
Samba Developer, Catalyst IT

More information about the samba-technical mailing list