SECURITY: password replication onto RODCs

Michael Brown michael at netdirect.ca
Fri Nov 29 10:35:17 MST 2013 

I just accidentally loaded password credentials for the ENTIRE DOMAIN 
onto my RODC.

Samba RODCs are: sernet-samba-4.1.2-7.suse111
Windows DCs are: Windows 2008R2, updated as of 2013-11-12.

I was attempting to try some things to get rid of these replication 
errors which have been there since day one:

Nov 29 11:45:34 sles-bree samba[9723]: [2013/11/29 11:45:34.287073, 0] 
../source4/dsdb/repl/replicated_objects.c:783(dsdb_replicated_objects_commit)
Nov 29 11:45:34 sles-bree samba[9723]: Failed to apply records: Conflict 
adding object 
'DC=6b51956f-604c-41a4-8366-6fb31664f468,DC=_msdcs.main.adlab.netdirect.ca,CN=MicrosoftDNS,DC=ForestDnsZones,DC=main,DC=adlab,DC=netdirect,DC=ca' 
from incoming replication as we are read only for the partition.
Nov 29 11:45:34 sles-bree samba[9723]: - We must fail the operation 
until a master for this partition resolves the conflict: Entry already 
exists
Nov 29 11:45:34 sles-bree samba[9723]: [2013/11/29 11:45:34.287700, 0] 
../source4/dsdb/repl/drepl_out_helpers.c:725(dreplsrv_op_pull_source_apply_changes_trigger)
Nov 29 11:45:34 sles-bree samba[9723]: Failed to commit objects: 
WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
Nov 29 11:45:34 sles-bree samba[9723]: [2013/11/29 11:45:34.533380, 0] 
../source4/dsdb/repl/replicated_objects.c:783(dsdb_replicated_objects_commit)
Nov 29 11:45:34 sles-bree samba[9723]: Failed to apply records: Conflict 
adding object 
'DC=_kerberos._tcp.Shire._sites,DC=main.adlab.netdirect.ca,CN=MicrosoftDNS,DC=DomainDnsZones,DC=main,DC=adlab,DC=netdirect,DC=ca' 
from incoming replication as we are read only for the partition.
Nov 29 11:45:34 sles-bree samba[9723]: - We must fail the operation 
until a master for this partition resolves the conflict: Entry already 
exists
Nov 29 11:45:34 sles-bree samba[9723]: [2013/11/29 11:45:34.533773, 0] 
../source4/dsdb/repl/drepl_out_helpers.c:725(dreplsrv_op_pull_source_apply_changes_trigger)
Nov 29 11:45:34 sles-bree samba[9723]: Failed to commit objects: 
WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE

and I ran the following command with a Domain Administrator ticket:
michael at sles-bree:~> samba-tool drs replicate 
sles-bree.main.adlab.netdirect.ca ad1.main.adlab.netdirect.ca 
DC=main,DC=adlab,DC=netdirect,DC=ca -k yes --full-sync --sync-forced

This caused a full re-replication of the partition, including the 
credentials for ALL ACCOUNTS IN THE DOMAIN (I verified with tdbdump).

Oops.

I can also replicate a user who is explicitly denied by using a domain 
administrator ticket:
sles-shire:/home/michael # samba-tool rodc preload administrator 
--server ad1.main.adlab.netdirect.ca -k yes
Replicating DN CN=Administrator,CN=Users,DC=main,DC=adlab,DC=netdirect,DC=ca
Exop on[CN=Administrator,CN=Users,DC=main,DC=adlab,DC=netdirect,DC=ca] 
objects[1] linked_values[3]

Windows *understands* that the password is being replicated to the RODC 
for an explicitly denied account and still permits it:
http://i.imgur.com/f9qDS2y.png

I'm not sure if it's the Windows DC's job to enforce the RODC password 
replication policy or the RODC's job. It *SHOULD* be the DC's job!

If I try and run it using a normal user account (or a user account 
that's delegated as an Administrator for the RODC in AD) the replication 
request fails (rejected by Samba):
michael at sles-shire:~> samba-tool drs replicate 
sles-shire.main.adlab.netdirect.ca ad1.main.adlab.netdirect.ca 
DC=main,DC=adlab,DC=netdirect,DC=ca -k yes --full-sync
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - 
drsException: DsReplicaSync failed (8453, 'WERR_DS_DRA_ACCESS_DENIED')
File "/usr/lib64/python2.6/site-packages/samba/netcmd/drs.py", line 345, 
in run
drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle, 
source_dsa_guid, NC, req_options)
File "/usr/lib64/python2.6/site-packages/samba/drs_utils.py", line 83, 
in sendDsReplicaSync
raise drsException("DsReplicaSync failed %s" % estr)

Nov 29 12:11:40 sles-shire samba[8022]: [2013/11/29 12:11:40.405330, 0] 
../source4/rpc_server/drsuapi/drsutil.c:106(drs_security_level_check)
Nov 29 12:11:40 sles-shire samba[8022]: DsReplicaSync refused for 
security token (level=10)

I wonder what would happen if I bypassed the checks in samba and had it 
make the full replica request. Would the DC send the full contents?

Anyways... is there a quick and easy way to purge credentials from the 
RODC replica?

M.

---
More specifically, all Windows updates are installed except:
Cumulative Security Update for ActiveX Killbits for Windows Server 2008 
R2 x64 Edition (KB2900986)
Cumulative Security Update for Internet Explorer 10 for Windows Server 
2008 R2 Service Pack 1 for x64-based Systems (KB2888505)
Microsoft .NET Framework 4.5.1 for Windows Server 2008 R2 x64-based 
Systems (KB2858725)
Security Update for Windows Server 2008 R2 x64 Edition (KB2647170)
Security Update for Windows Server 2008 R2 x64 Edition (KB2772930)
Security Update for Windows Server 2008 R2 x64 Edition (KB2853587)
Security Update for Windows Server 2008 R2 x64 Edition (KB2862152)
Security Update for Windows Server 2008 R2 x64 Edition (KB2868626)
Security Update for Windows Server 2008 R2 x64 Edition (KB2868725)
Security Update for Windows Server 2008 R2 x64 Edition (KB2875783)
Security Update for Windows Server 2008 R2 x64 Edition (KB2876331)
Update for Windows Server 2008 R2 x64 Edition (KB2806748)
Update for Windows Server 2008 R2 x64 Edition (KB2823180)
Update for Windows Server 2008 R2 x64 Edition (KB2893519)
Windows Malicious Software Removal Tool x64 - November 2013 (KB890830)

-- 
Michael Brown               | `One of the main causes of the fall of
Systems Consultant          | the Roman Empire was that, lacking zero,
Net Direct Inc.             | they had no way to indicate successful
☎: +1 519 883 1172 x5106    | termination of their C programs.' - Firth

More information about the samba-technical mailing list