[PATCH] [WIP] Connecting to trusted domains using a machine account in the classic DC

Andrew Bartlett abartlet at samba.org
Wed Dec 11 12:12:56 MST 2013 

On Wed, 2013-12-11 at 19:53 +0100, Stefan (metze) Metzmacher wrote:
> Hi Andrew,
> 
> >>> What do you think of this approach?
> >>
> >> I'd like to do some testing with windows first, using our own machine
> >> account
> >> and relying on a 2 way trust is ugly, we should only do it if windows
> >> also does it.
> > 
> > The testing was with Windows 2008.  I don't see we have any other option
> > other than to rely on the two-way trust, if we want authentication, and
> > without authentication we are vulnerable to all sorts of MITM attacks,
> 
> No, we just need to implement DCERPC header signing.

How would that help, if the connection is still anonymous?  We can get
SCHANNEL, but can we get everything we need over schannel (specifically
LSA)?  Even then we have to do it anonymously to get that started, and
the comments in the code indicate that that only works against Win2000
SP0. 

> > as well as to restrict anonymous issues.  
> 
> Maybe, I'd like to see captures of windows failing this way.

Samba is currently failing this way (hence my interest), so we need a
way out of this regardless.

> > Certainly we need to at least use the stored username/password (which is
> > what Samba 3.6 did, somehow).
> > 
> >> Can you do some captures of windows to windows trusts?
> > 
> > We can make fair comparisons with AD <-> AD trusts, but Windows NT4 <->
> > AD doesn't exist as a modal for comparison any more. 
> 
> Why it's still possible to test with nt4 sp6a.

Is it?  In any case, I don't have that around any more, and the modern
secure channel work is deliberately designed to avoid that working.  I
don't think we should modal ourselves on NT4 any more, but on the most
secure working configuration. 

> > I will note that the Windows connection back to Samba classic is
> > anonymous, and to avoid deadlocks we need to do the same when not
> > talking to an Active Directory domain. 
> 
> Does it use kerberos in some cases?

We can't use Kerberos two/from a Samba classic domain. 

We know that inside a forest Kerberos is used extensively, for example
to protect DRSUAPI replication.  We also know that inter-forest trusts
only permit Kerberos authentication.  

Which specific cases are you thinking of?

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list