[Samba] Client Uses Impostor DC

steve steve at steve-ss.com
Fri Aug 22 16:53:17 MDT 2014

On Fri, 2014-08-22 at 16:48 -0500, Andrew Martin wrote:
> ----- Original Message -----
> > From: "Gregory Sloop" <gregs at sloop.net>
> > To: "Ben Cundiff" <bcundiff at xes-inc.com>
> > Cc: samba at lists.samba.org
> > Sent: Thursday, July 24, 2014 1:29:07 PM
> > Subject: Re: [Samba] Client Uses Impostor DC
> > 
> > BC> Are there any preventative measures we
> > BC> could take with either the Ubuntu 10.04/Samba 3.4.7 client or with
> > BC> the DCs to prevent this issue from happening again if a
> > BC> counterfeit DC were ever to be placed on our network again?
> > 
> > In a word, No.
> > 
> > If you allow someone physically connected to your network to setup a(n)
> > DNS/DHCP/DC server, there's really nothing you can do to prevent the
> > predictable havoc that will ensue.
> > 
> > Clients "find" the correct DC to contact to attempt authentication via DNS.
> > If DNS is whacked, then all bets are off. If a DHCP server is running rogue
> > and handing out bad addresses and options [namely DNS servers] then you
> > can't "fix" that.
> > 
> > There's no security issue, since the clients will be attempting to contact
> > the "bogus" DC with the PKI they used to generate the trust relationship
> > with the "real" DC, and so the communication/authentication will simply
> > fail.
> > 
> Following up on Ben's comments, we discovered that this rogue DC was able to
> create entries in the real domain's DNS (we're using Samba's internal DNS 
> server). I can see how the clients could start talking to the rogue DC if
> DNS or DHCP were compromised, but is there any explanation for how it was 
> allowed to add entries to the real domain's DNS? Note that this rogue server
> did not show up in ADUC or elsewhere in AD.
> Thanks,
> Andrew
I don't know if this is relevant but we found out by accident that all
you need to connect is a laptop with a keytab. No check is made of your
IP or hostname. If you can rob a keytab you can use nsupdate -g against
DNS. We'd be interested to know if you can do it without robbery.

More information about the samba mailing list