Video of my Kawaiicon talk: The "Dollar Ticket Attack" on AD and Linux Kerberos clients

Alexander Bokovoy ab at
Mon Jul 11 06:59:40 UTC 2022

On ma, 11 heinä 2022, Andrew Bartlett via samba-technical wrote:
> On Sat, 2022-07-09 at 18:46 +1200, Andrew Bartlett via krbdev wrote:
> > I was going to wait until a per-talk video was hosted by the organisers
> > of the conference, but in the meantime this link into the live stream
> > works.
> > 
> > I'm sharing this as I wanted to share the video as folks have been
> > interested. 
> > 
> >
> > 
> > It would be great if the linux side could become harder to exploit at
> > some point, I have some suggestions at the end of the talk, and Sumit
> > has had some suggestions around disabling an 'a2ln' plugin. 
> > 
> > It would be good if someone could write up some good guidance for users
> > on how best to defend against it on the Linux side, both with a 'simple
> > keytab on server', or 'samba publishing keytab' or other similar
> > configurations.
> > 
> > I also tell the tale of how I broke into Windows AD last November,
> > similar to but more punchy than SambaXP talk, which I think was pretty
> > cool. 
> > 
> > Anyway, enjoy and be worried!
> I've started to put together a wiki page mostly with links.  It is
> probably still at the stage of being confusing even to this audience
> (and is totally missing a 'how do I protect myself' section), but
> perhaps someone can help fill that out.  
> In the meantime at least it links some of the various documents, talks,
> exploit steps etc:
> I would appreciate it being extended.  (Please don't be put off by
> needing to get an account, it just a spam prevention barrier). 

Thank you, Andrew. I added suggestions we had been discussing with you
and Sumit on how to address it in pure AD environment with SSSD
configuration and MIT config snippets.

I'd like to point out that this problem does not affect FreeIPA
environment as there are no user machine quota support there and you
have to be an administrator to add resources like that. Also, Kerberos
principal alias support is enforcing uniqueness accross all principals
in FreeIPA, so taking over other's name is not possible.

/ Alexander Bokovoy

More information about the samba-technical mailing list