SECURITY: password replication onto RODCs
abartlet at samba.org
Mon Dec 2 14:25:21 MST 2013
On Mon, 2013-12-02 at 11:14 -0500, Michael Brown wrote:
> On 13-12-01 04:18 PM, Andrew Bartlett wrote:
> > On Fri, 2013-11-29 at 12:35 -0500, Michael Brown wrote:
> > > Anyways... is there a quick and easy way to purge credentials from
> > > the
> > > RODC replica?
> > No. Even if you deleted the database and re-replicated, it could still
> > be recovered from the disk. The passwords have been 'exposed'.
> > I suggest wiping the disk, if you are worried.
> This is my lab, so I'm not concerned. But it was entirely accidental
> and there didn't seem to be a way to re-replicate otherwise.
Just re-join the machine to the domain then.
> We should perhaps put something in place to protect the administrator
> from this error :)
> I did find http://msdn.microsoft.com/en-us/library/cc223850.aspx but
> samba doesn't implement it yet.
> Perhaps I'll look into implementing that to get my feet wet.
It's a very interesting control. Clearly written for exactly the
situation you have, but with that same flaw - once disclosed, no amount
of 'please forget you knew that' really makes any difference. The only
real secure choice is to change the secrets so disclosed.
> On 13-12-01 03:48 PM, Andrew Bartlett wrote:
> > It's the DC's job, and it relies on the security token of the connecting
> > account. To rely on the destination DSA would just open up a different
> > security hole (if that was the only arbiter, as it could be faked), or
> > require that this also be checked, which would break replicating as an
> > administrator.
> I tried:
> * calling the command as root (no kerberos)
> * calling the command as a normal domain user (kerberos)
> * calling the command as a delegated administrator (kerberos)
> and each time got rejected by samba. (DsReplicaSync refused for
> security token (level=10))
> The RODC insists on having at least a SECURITY_DOMAIN_CONTROLLER
> account make this request. So at the moment there's no way to "safely"
> re-replicate. Perhaps if we're *on* a RODC, we could relax that to
> In either case, I would have expected that any account could make the
> *request* to samba, but then for samba to use it's own account to
> request the replica sync from the DC. Is there a reason to not do
Are you sure you didn't specify --local?
Without that, we really should have used the RODC machine account,
because we just poke the local DC to ask it to do a replication, on it's
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical