[Samba] Possible PDC security hole r
Robert Adkins
raa at impelind.com
Mon Nov 25 14:51:02 GMT 2002
Diego,
When a NT-class or any Win9X based machine is not officially part of a
domain, they can still utilize the domain resources as long as there is a
user account that has permission to utilize the domain.
When not part of the domain, the client machine will treat the domain as
a workgroup and EVERY client request will go through the validation
process. When connected to the domain the valid user login is given a key
that allows the client machine to "skip" the validation process for every
share access as the key provides the authorization.
You have found no bug. It is a standard piece of Windows
Domain/Workgroup networking. It is actually a good thing that it works
like that, as I would have had a serious problem when I partially brought
up a domain at the office recently, after experiencing a serious issue
with our old NT 4.0 PDC.
If you want to make sure that a client machine will have NO Access to
any domain resources when not part of the domain then the best way to do
that is to either never create any user accounts on the local machine and
generate a different password for the Administrator account then the one
used on the domain. If you must have local user accounts, don't allow the
user accounts to be able to change their passwords, or don't allow them
to use the same names on their local machines as they do on the domain.
Of course, when they attempt to connect to a resource, they would then
be prompted with a user account and password box for validation. Isn't
Microsoft Security grand?
Regards,
Robert Adkins II
IT Manager/Buyer
Impel Industries, Inc.
Ph. 586-254-5800
Fx. 586-254-5804
-----Original Message-----
From: Diego Rivera [mailto:lrivera at racsa.co.cr]
Sent: Sunday, November 24, 2002 10:10 PM
To: samba at lists.samba.org; Robert Adkins
Subject: [Samba] Possible PDC security hole re/machine accounts
Hey all!
I was fiddling with some LDAP stuff for fun's sake, and I ran into this
strange situation. The situation occurred with both my stock Samba and
my modifications applied.
I had a Win2000 Advanced Server machine already joined into the domain
and working perfectly with PDC logons through the Samba server (v2.2.7,
LDAP-SAM backend, OpenLDAP 2.0.25).
While testing if the searches were being done as my new code specified,
I explicitly removed the machine account for the W2K server expecting
future logons to fail due to a missing/invalid machine account. I would
then add the entry back to test if my code was finding stuff where it
needed to be found.
The strange thing is that even after the machine account was gone (and
the samba processes had been restarted multiple times), I was still able
to log in through the domain into that machine (W2K) - apparently
through the PDC as I was able to access shares on other machines that
should only be available to domain members. I rebooted the computer
(W2K) just in case, and restarted samba in the process and I was still
able to log in.
Just in case, I changed back to "stock" LDAP Samba (in case it was a bug
in my code), and the behavior was still the same.
This seems to me like a HUGE PDC security hole, unless I'm
misinterpreting the way PDC machine accounts are handled, and what's
supposed to happen when a machine account is removed.
It's my understanding that no NT-class machine (NT,2K,XP) can utilize
resources within a PDC-protected domain if they haven't been joined into
it and have a valid machine account in the PDC. If this is the case,
then this is clearly a BIG hole that needs to be plugged ASAP.
Anybody care to comment? Am I way out of whack here? Do I need to quit
programming and try my luck as a janitor? ;)
Best
Diego
PS/ The mods I was working on is adding "add machine script" and "ldap
machine suffix" functionality to Samba, to allow for better handling of
machine accounts from an admin level.
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
More information about the samba
mailing list