[Samba] Setting up Backup AD DC

Andrew Bartlett abartlet at samba.org
Fri Oct 30 23:52:52 UTC 2020 

On Fri, 2020-10-30 at 23:55 +0100, Norbert Hanke wrote:
> On 30.10.2020 20:44, Andrew Bartlett wrote:
> > On Fri, 2020-10-30 at 15:21 +0100, Norbert Hanke via samba wrote:
> > > On 29.10.2020 18:27, Tom Diehl via samba wrote:
> > > > Maybe I am missing something, but what is the secure way to run an
> > > > automated
> > > > backup on recent versions of samba? Can samba-tool domain backup be
> > > > made to use
> > > > kerberos so I do not need to store an admin password in an
> > > > unencrypted
> > > > file?
> > > > 
> > > > Regards,
> > > > 
> > > With Kerberos you need to have an [unencrypted] keytab file. Of
> > > course
> > > that is better than a password in a file, but it's not fundamentally
> > > different. The keytab content is just harder to spell than a
> > > password.
> > The offline backup is probably better for a cron-job if you are
> > hesitant about stored key/passwords.
> > 
> > But then again, a keytab with those same permissions is unencrypted in
> > the private folder (with strict permissions naturally) of every DC, so
> > the risks on the backup server are relatively the same as yet another
> > DC.
> > 
> > (DC accounts are equally powerful as the the administrator really).
> > 
> > I hope this helps,
> > 
> > Andrew Bartlett
> > 
> I agree: being able to online-backup everything puts the backup server
> on an equal level as the DC.
> 
> And the same is true for anybody else having access to a backups (online
> or offline): having a copy of KRBTGT's keytab gives full power to
> impersonate everybody including all kinds of administrator users, most
> likely forever. Backups need to be very well protected.
> 
> IMHO that's the fundamental security weakness of AD (and Kerberos) in
> general: relying on KRBTGT's keys that reside in storage (for all
> practical implementations) and rarely get rotated, if at all.
> 
> Frankly, I wouldn't know how to rotate KRBTGT keys with a samba DC. For
> Windows DCs it's possible and Microsoft published a script to do so:
> https://www.microsoft.com/security/blog/2015/02/11/krbtgt-account-password-reset-scripts-now-available-for-customers/
> . Would something similar be possible with Samba?

Yes, we rotate those keys with:
python3 ./source4/scripting/devel/chgkrbtgtpass 

Also remember to rotate your DC keys if you are doing this becase of
concerns, I would run this script twice, just sleep in between to allow
a replication pulse:

python3 ./source4/scripting/devel/chgtdcpass 

I would love to have someone step up to fund or implement regular
password rotations for these as that Microsoft script suggests doing
this automatically without breaking the network is trickier than it
might first appear.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT         
http://catalyst.net.nz/services/samba

More information about the samba mailing list