SECURITY: password replication onto RODCs

Michael Brown michael at netdirect.ca
Wed Dec 4 09:06:43 MST 2013 

On 13-12-02 04:25 PM, Andrew Bartlett wrote:
> Just re-join the machine to the domain then. 
That's my worry - how many times am I going to have to re-join it before 
the replication error goes away?

This was concerning due to the fact that the person who made these RODCs 
*literally* ran the same commands on each and started them up the same. 
Some are OK, some are not. When we deploy 1400 RODCs, how many of them 
are going to come up with that replication error?
>> We should perhaps put something in place to protect the administrator
>> from this error :)
>>
>> I did find http://msdn.microsoft.com/en-us/library/cc223850.aspx but
>> samba doesn't implement it yet.
>>
>> Perhaps I'll look into implementing that to get my feet wet.
> It's a very interesting control.  Clearly written for exactly the
> situation you have, but with that same flaw - once disclosed, no amount
> of 'please forget you knew that' really makes any difference.  The only
> real secure choice is to change the secrets so disclosed.
I do like the example in the docs of 'this person no longer needs to 
have their password on the RODC'. Not perfect of course, but if you're 
truly paranoid about it you'll have other measures in place like FDE or 
storing all the Samba data on an encrypted filesystem.

It's also handy to clear the saved password when you're testing out 
functionality that fails when passwords are cached on the RODC: 
http://serverfault.com/q/556461/2101

In either case, I would have expected that any account could make the
*request* to samba, but then for samba to use it's own account to
request the replica sync from the DC. Is there a reason to not do
this?

> Are you sure you didn't specify --local?
>
> Without that, we really should have used the RODC machine account,
> because we just poke the local DC to ask it to do a replication, on it's
> own behalf.
Looking back into my history, I see:
sudo samba-tool drs replicate sles-bree.main.adlab.netdirect.ca 
ad1.main.adlab.netdirect.ca 
DC=DomainDnsZones,DC=main,DC=adlab,DC=netdirect,DC=ca -k yes --full-sync 
--sync-forced --local

So I was trying that out on the DomainDnsZones partition... it's 
*possible* that I ran that on the main partition as well.

Perhaps we should add a warning into the replicate tool that tells the 
admin what's going to happen may not be what he expects/wants. And 
filter out the passwords from what gets saved to disk if we detect we're 
on an RODC?

M.

-- 
Michael Brown               | `One of the main causes of the fall of
Systems Consultant          | the Roman Empire was that, lacking zero,
Net Direct Inc.             | they had no way to indicate successful
☎: +1 519 883 1172 x5106    | termination of their C programs.' - Firth

More information about the samba-technical mailing list