Automatically locating domain controller

Bjart Kvarme bjart.kvarme at usit.uio.no
Mon Oct 4 08:03:20 GMT 1999 


> -----Original Message-----
> From: samba at samba.org [mailto:samba at samba.org]On Behalf Of Jeremy
> Allison
> Sent: Friday, October 01, 1999 9:42 PM
> To: Multiple recipients of list SAMBA
> Subject: Re: Automatically locating domain controller

 ...

> Also, this does mean that Samba will treat as a password
> server any machine that can successfully register a 1C
> name. I haven't done this yet as it bugs me that there is
> no security in name registration. I know this is what NT
> does, but what worries me is the following scenario.
>
> 1). Evil Hacker (tm) crashes the real NT PDC (quite easy I'm
> afraid if it has a TCP port 139 open).
>
> 2). Evil Hacker (tm) sets their own laptop up as a logon
> server and registers the 1C name for the domain (which they
> can now do as the PDC is down).

This is actually doable without bringing the PDC down. When I found a
machine called black registered as a BDC (1C name) in our NT wins servers I
was pretty sure Evil Hacker had visited us, but no... One of our support
people had installed samba 2.0x on a computer running Linux and configured
the server with wins server = our.wins.server and domain logons=yes. The
Linux box then registered 1c with the WINS server and the wins server
returned our 6 logon servers + black to every computer asking for the 1c
name. If black was operated by Evil Hacker, then he/she could expect to se
some useful login attempts to black.

The only way I know of to make this secure is to make the 1C (and probably
1B) names statically registered.

This does not prevent Evil Hacker from doing bad this if he/she has access
to your broadcast domain. Win9x and WinNT does an initial broadcast to find
login servers, and an Evil Host or a badly configured samba server could
cause a lot of trouble in this scenario. We have not seen any Evil Hosts
yet, but there has been a lot of private Linux boxes running a badly
configured samba server. The moral of this is, do not use broadcast to find
1C names...

> 3). Evil Hacker (tm) uses smbclient to connect as user "root"
> to a Samba server, and sets his own laptop to allow any password
> authentication for the user "root"......
>
> 4). Trouble follows........

Yes, we have seen some of it :)

> This is why I haven't added this feature yet. The current
> password server code could be hacked this way if the name
> resolution is set to use a NetBIOS name resolution (wins,
> bcast) but cannot if it is set to use dns. This new feature
> would *always* be hackable in this way.
>
> Any comments, thoughts ?

I think the feature would be nice to have, but the documentation could
recommend using a static wins entry for the 1C name to stop Evil Hacker.

More information about the samba mailing list