[Samba] Client Uses Impostor DC

Andrew Martin amartin at xes-inc.com
Fri Aug 22 15:48:42 MDT 2014


----- Original Message -----
> From: "Gregory Sloop" <gregs at sloop.net>
> To: "Ben Cundiff" <bcundiff at xes-inc.com>
> Cc: samba at lists.samba.org
> Sent: Thursday, July 24, 2014 1:29:07 PM
> Subject: Re: [Samba] Client Uses Impostor DC
> 
> BC> Are there any preventative measures we
> BC> could take with either the Ubuntu 10.04/Samba 3.4.7 client or with
> BC> the DCs to prevent this issue from happening again if a
> BC> counterfeit DC were ever to be placed on our network again?
> 
> In a word, No.
> 
> If you allow someone physically connected to your network to setup a(n)
> DNS/DHCP/DC server, there's really nothing you can do to prevent the
> predictable havoc that will ensue.
> 
> Clients "find" the correct DC to contact to attempt authentication via DNS.
> If DNS is whacked, then all bets are off. If a DHCP server is running rogue
> and handing out bad addresses and options [namely DNS servers] then you
> can't "fix" that.
> 
> There's no security issue, since the clients will be attempting to contact
> the "bogus" DC with the PKI they used to generate the trust relationship
> with the "real" DC, and so the communication/authentication will simply
> fail.
> 

Following up on Ben's comments, we discovered that this rogue DC was able to
create entries in the real domain's DNS (we're using Samba's internal DNS 
server). I can see how the clients could start talking to the rogue DC if
DNS or DHCP were compromised, but is there any explanation for how it was 
allowed to add entries to the real domain's DNS? Note that this rogue server
did not show up in ADUC or elsewhere in AD.

Thanks,

Andrew


More information about the samba mailing list