SECURITY: password replication onto RODCs
Michael Brown
michael at netdirect.ca
Fri Nov 29 10:35:17 MST 2013
I just accidentally loaded password credentials for the ENTIRE DOMAIN
onto my RODC.
Samba RODCs are: sernet-samba-4.1.2-7.suse111
Windows DCs are: Windows 2008R2, updated as of 2013-11-12.
I was attempting to try some things to get rid of these replication
errors which have been there since day one:
Nov 29 11:45:34 sles-bree samba[9723]: [2013/11/29 11:45:34.287073, 0]
../source4/dsdb/repl/replicated_objects.c:783(dsdb_replicated_objects_commit)
Nov 29 11:45:34 sles-bree samba[9723]: Failed to apply records: Conflict
adding object
'DC=6b51956f-604c-41a4-8366-6fb31664f468,DC=_msdcs.main.adlab.netdirect.ca,CN=MicrosoftDNS,DC=ForestDnsZones,DC=main,DC=adlab,DC=netdirect,DC=ca'
from incoming replication as we are read only for the partition.
Nov 29 11:45:34 sles-bree samba[9723]: - We must fail the operation
until a master for this partition resolves the conflict: Entry already
exists
Nov 29 11:45:34 sles-bree samba[9723]: [2013/11/29 11:45:34.287700, 0]
../source4/dsdb/repl/drepl_out_helpers.c:725(dreplsrv_op_pull_source_apply_changes_trigger)
Nov 29 11:45:34 sles-bree samba[9723]: Failed to commit objects:
WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
Nov 29 11:45:34 sles-bree samba[9723]: [2013/11/29 11:45:34.533380, 0]
../source4/dsdb/repl/replicated_objects.c:783(dsdb_replicated_objects_commit)
Nov 29 11:45:34 sles-bree samba[9723]: Failed to apply records: Conflict
adding object
'DC=_kerberos._tcp.Shire._sites,DC=main.adlab.netdirect.ca,CN=MicrosoftDNS,DC=DomainDnsZones,DC=main,DC=adlab,DC=netdirect,DC=ca'
from incoming replication as we are read only for the partition.
Nov 29 11:45:34 sles-bree samba[9723]: - We must fail the operation
until a master for this partition resolves the conflict: Entry already
exists
Nov 29 11:45:34 sles-bree samba[9723]: [2013/11/29 11:45:34.533773, 0]
../source4/dsdb/repl/drepl_out_helpers.c:725(dreplsrv_op_pull_source_apply_changes_trigger)
Nov 29 11:45:34 sles-bree samba[9723]: Failed to commit objects:
WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
and I ran the following command with a Domain Administrator ticket:
michael at sles-bree:~> samba-tool drs replicate
sles-bree.main.adlab.netdirect.ca ad1.main.adlab.netdirect.ca
DC=main,DC=adlab,DC=netdirect,DC=ca -k yes --full-sync --sync-forced
This caused a full re-replication of the partition, including the
credentials for ALL ACCOUNTS IN THE DOMAIN (I verified with tdbdump).
Oops.
I can also replicate a user who is explicitly denied by using a domain
administrator ticket:
sles-shire:/home/michael # samba-tool rodc preload administrator
--server ad1.main.adlab.netdirect.ca -k yes
Replicating DN CN=Administrator,CN=Users,DC=main,DC=adlab,DC=netdirect,DC=ca
Exop on[CN=Administrator,CN=Users,DC=main,DC=adlab,DC=netdirect,DC=ca]
objects[1] linked_values[3]
Windows *understands* that the password is being replicated to the RODC
for an explicitly denied account and still permits it:
http://i.imgur.com/f9qDS2y.png
I'm not sure if it's the Windows DC's job to enforce the RODC password
replication policy or the RODC's job. It *SHOULD* be the DC's job!
If I try and run it using a normal user account (or a user account
that's delegated as an Administrator for the RODC in AD) the replication
request fails (rejected by Samba):
michael at sles-shire:~> samba-tool drs replicate
sles-shire.main.adlab.netdirect.ca ad1.main.adlab.netdirect.ca
DC=main,DC=adlab,DC=netdirect,DC=ca -k yes --full-sync
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
drsException: DsReplicaSync failed (8453, 'WERR_DS_DRA_ACCESS_DENIED')
File "/usr/lib64/python2.6/site-packages/samba/netcmd/drs.py", line 345,
in run
drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle,
source_dsa_guid, NC, req_options)
File "/usr/lib64/python2.6/site-packages/samba/drs_utils.py", line 83,
in sendDsReplicaSync
raise drsException("DsReplicaSync failed %s" % estr)
Nov 29 12:11:40 sles-shire samba[8022]: [2013/11/29 12:11:40.405330, 0]
../source4/rpc_server/drsuapi/drsutil.c:106(drs_security_level_check)
Nov 29 12:11:40 sles-shire samba[8022]: DsReplicaSync refused for
security token (level=10)
I wonder what would happen if I bypassed the checks in samba and had it
make the full replica request. Would the DC send the full contents?
Anyways... is there a quick and easy way to purge credentials from the
RODC replica?
M.
---
More specifically, all Windows updates are installed except:
Cumulative Security Update for ActiveX Killbits for Windows Server 2008
R2 x64 Edition (KB2900986)
Cumulative Security Update for Internet Explorer 10 for Windows Server
2008 R2 Service Pack 1 for x64-based Systems (KB2888505)
Microsoft .NET Framework 4.5.1 for Windows Server 2008 R2 x64-based
Systems (KB2858725)
Security Update for Windows Server 2008 R2 x64 Edition (KB2647170)
Security Update for Windows Server 2008 R2 x64 Edition (KB2772930)
Security Update for Windows Server 2008 R2 x64 Edition (KB2853587)
Security Update for Windows Server 2008 R2 x64 Edition (KB2862152)
Security Update for Windows Server 2008 R2 x64 Edition (KB2868626)
Security Update for Windows Server 2008 R2 x64 Edition (KB2868725)
Security Update for Windows Server 2008 R2 x64 Edition (KB2875783)
Security Update for Windows Server 2008 R2 x64 Edition (KB2876331)
Update for Windows Server 2008 R2 x64 Edition (KB2806748)
Update for Windows Server 2008 R2 x64 Edition (KB2823180)
Update for Windows Server 2008 R2 x64 Edition (KB2893519)
Windows Malicious Software Removal Tool x64 - November 2013 (KB890830)
--
Michael Brown | `One of the main causes of the fall of
Systems Consultant | the Roman Empire was that, lacking zero,
Net Direct Inc. | they had no way to indicate successful
☎: +1 519 883 1172 x5106 | termination of their C programs.' - Firth
More information about the samba-technical
mailing list