[Samba] Resetting the krbtgt account password

Andrew Bartlett abartlet at samba.org
Wed Jan 27 03:58:07 UTC 2021

On Tue, 2021-01-26 at 07:55 +0100, cn--- via samba wrote:
> Hello you all,
> I was thinking about disaster recovery when this question came up.
> If 
> your AD would be compromised by an attacker which made himself a
> golden 
> ticket. Would the change of the password of the krbtgt account lock
> him out?
> I am looking at this:
> https://dev.tranquil.it/samba/en/samba_advanced_methods/samba_reset_krbtgt.html
> So I think this will help lockout any attacker who has a "normal"
> user 
> ticket. But will this also be true for a golden ticket?

Yes, this how to invalidate a golden ticket.  

However there are lots of other privileged accounts and keys in AD,
like every AD DC, administrator, and any user with access to replicate
passwords, or reset passwords (eg via changing ACLs).  

I would love for someone to write or fund a tool to list the
comprehensive set of accounts that are privileged, so this can be
audited regularly.

Andrew Bartlett

Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

More information about the samba mailing list