Anonymous

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Anonymous

Samba - General mailing list

Hello, can you say me how I can deny in my samba  that some aplication can read my active directory users anonymous.
** Alcatel Onetouch Idol 3 (5.5) **

en 06/01/2018 16:55, Andrew Bartlett via samba <[hidden email]> escribió:

>
> On Sat, 2018-01-06 at 11:11 +0000, Antonios Kalkakos via samba wrote:
> > I have an AD with two Debian Stretch Samba 4.5.12 DCs. The Samba and Heimdal Kerberos 7.1.0 packages are installed from Debian repositories. Management is done from MS-RSAT installed on a Windows 7 Pro client.
> >
> > When I select the option "Account is sensitive and cannot be delegated" (in Active Directory Users and Computers under the Account tab) for a user account regardless of its privileges, the user cannot logon on any client PC. Windows 7 responds "Logon failure: user account restriction. Possible reasons are blank passwords are not allowed, logon hour restrictions, or a policy restriction has been enforced" and a Debian Stretch client responds "You are not allowed to logon from this workstation". The Samba DC will provide a non-forwardable TGT, if you ask for it with kinit -F command from the Linux client. Issuing the command kinit -f will again fail with "krb5_get_init_creds: Ticket may not be forwardable".
> >
> > Investigation with Wireshark showed that after receiving an AS-REQ for a TGT with the forwardable flag set, the Samba 4.5.12 DC responds a KRB5KDC_ERR_POLICY with e-text "Ticket may not be forwardabale" (same as kinit -f). This behavior is correct according to CVE-2016-2125 (https://www.samba.org/samba/security/CVE-2016-2125.html) which states:
> >
> > 0x00100000: UF_NOT_DELEGATED:
> > The UF_NOT_DELEGATED can be used to disable the ability to get forwardable TGT
> > for the account. It means the KDC will respond with an error if the client asks
> > for the forwardable ticket.  The client typically gives up and removes the
> > GSS_C_DELEG_FLAG flag and continues without passing delegated credentials.
> > Administrators can use this to disable possible delegation for the most
> > privileged accounts (e.g. administrator accounts).
> >
> > Upon the initial logon procedure however, both Samba 4.5.12 and Windows 7 clients will actually give up and not continue asking for a non-forwardable TGT, which means that the user will be locked out.
> >
> > Testing with Wireshark on another AD with one Windows 2008 R2 DC showed that the DC ignored the forwardable flag on AS-REQ and the user logged in normally having a non-forwardable TGT. All subsequent TGS requests on the same logon session from a Windows 7 client didn't have the forwardable flag set.
> >
> > Should I fill a bug for that, request to be added on Samba wiki or am I doing something wrong?
>
> Yes, please file a bug.  Clearly we need a test for this.
>
> (Regarding Rowland's point, the Heimdal package on Debian won't
> actually be used by the Samba 4.5 package).
>
> Andrew Bartlett
> --
> Andrew Bartlett                       http://samba.org/~abartlet/ 
> Authentication Developer, Samba Team  http://samba.org 
> Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba 
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba 
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Anonymous

Samba - General mailing list
On Sat, 2018-01-06 at 18:07 -0500, Sandy Napoles Umpierre via samba
wrote:
> Hello, can you say me how I can deny in my samba  that some aplication can read my active directory users anonymous.
> ** Alcatel Onetouch Idol 3 (5.5) **

Anonymous access is not enabled in either the Microsoft or Samba AD DC
by default, except to the rootDSE, but it can be turned on with a
dsHuristics flags.  Are you seeing anonymous access on your network?

Because this is the second time I've been asked, I did just try, and
this fails for me:

[abartlet@addc samba]$ bin/ldbsearch -H ldap://$SERVER -s sub
search error - LDAP error 1 LDAP_OPERATIONS_ERROR -  <00002020:
Operation unavailable without authentication> <>

Thanks,

Andrew Bartlett

> en 06/01/2018 16:55, Andrew Bartlett via samba <[hidden email]> escribió:
> >
> > On Sat, 2018-01-06 at 11:11 +0000, Antonios Kalkakos via samba wrote:
> > > I have an AD with two Debian Stretch Samba 4.5.12 DCs. The Samba and Heimdal Kerberos 7.1.0 packages are installed from Debian repositories. Management is done from MS-RSAT installed on a Windows 7 Pro client.
> > >
> > > When I select the option "Account is sensitive and cannot be delegated" (in Active Directory Users and Computers under the Account tab) for a user account regardless of its privileges, the user cannot logon on any client PC. Windows 7 responds "Logon failure: user account restriction. Possible reasons are blank passwords are not allowed, logon hour restrictions, or a policy restriction has been enforced" and a Debian Stretch client responds "You are not allowed to logon from this workstation". The Samba DC will provide a non-forwardable TGT, if you ask for it with kinit -F command from the Linux client. Issuing the command kinit -f will again fail with "krb5_get_init_creds: Ticket may not be forwardable".
> > >
> > > Investigation with Wireshark showed that after receiving an AS-REQ for a TGT with the forwardable flag set, the Samba 4.5.12 DC responds a KRB5KDC_ERR_POLICY with e-text "Ticket may not be forwardabale" (same as kinit -f). This behavior is correct according to CVE-2016-2125 (https://www.samba.org/samba/security/CVE-2016-2125.html) which states:
> > >
> > > 0x00100000: UF_NOT_DELEGATED:
> > > The UF_NOT_DELEGATED can be used to disable the ability to get forwardable TGT
> > > for the account. It means the KDC will respond with an error if the client asks
> > > for the forwardable ticket.  The client typically gives up and removes the
> > > GSS_C_DELEG_FLAG flag and continues without passing delegated credentials.
> > > Administrators can use this to disable possible delegation for the most
> > > privileged accounts (e.g. administrator accounts).
> > >
> > > Upon the initial logon procedure however, both Samba 4.5.12 and Windows 7 clients will actually give up and not continue asking for a non-forwardable TGT, which means that the user will be locked out.
> > >
> > > Testing with Wireshark on another AD with one Windows 2008 R2 DC showed that the DC ignored the forwardable flag on AS-REQ and the user logged in normally having a non-forwardable TGT. All subsequent TGS requests on the same logon session from a Windows 7 client didn't have the forwardable flag set.
> > >
> > > Should I fill a bug for that, request to be added on Samba wiki or am I doing something wrong?
> >
> > Yes, please file a bug.  Clearly we need a test for this.
> >
> > (Regarding Rowland's point, the Heimdal package on Debian won't
> > actually be used by the Samba 4.5 package).
> >
> > Andrew Bartlett
> > --
> > Andrew Bartlett                       http://samba.org/~abartlet/ 
> > Authentication Developer, Samba Team  http://samba.org 
> > Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba 
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba 
--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba