On Fri, 2020-10-30 at 15:21 +0100, Norbert Hanke via samba wrote:> On 29.10.2020 18:27, Tom Diehl via samba wrote: > > > > Maybe I am missing something, but what is the secure way to run an > > automated > > backup on recent versions of samba? Can samba-tool domain backup be > > made to use > > kerberos so I do not need to store an admin password in an > > unencrypted > > file? > > > > Regards, > > > With Kerberos you need to have an [unencrypted] keytab file. Of > course > that is better than a password in a file, but it's not fundamentally > different. The keytab content is just harder to spell than a > password.The offline backup is probably better for a cron-job if you are hesitant about stored key/passwords. But then again, a keytab with those same permissions is unencrypted in the private folder (with strict permissions naturally) of every DC, so the risks on the backup server are relatively the same as yet another DC. (DC accounts are equally powerful as the the administrator really). I hope this helps, Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
On 30.10.2020 20:44, Andrew Bartlett wrote:> On Fri, 2020-10-30 at 15:21 +0100, Norbert Hanke via samba wrote: >> On 29.10.2020 18:27, Tom Diehl via samba wrote: >>> Maybe I am missing something, but what is the secure way to run an >>> automated >>> backup on recent versions of samba? Can samba-tool domain backup be >>> made to use >>> kerberos so I do not need to store an admin password in an >>> unencrypted >>> file? >>> >>> Regards, >>> >> With Kerberos you need to have an [unencrypted] keytab file. Of >> course >> that is better than a password in a file, but it's not fundamentally >> different. The keytab content is just harder to spell than a >> password. > The offline backup is probably better for a cron-job if you are > hesitant about stored key/passwords. > > But then again, a keytab with those same permissions is unencrypted in > the private folder (with strict permissions naturally) of every DC, so > the risks on the backup server are relatively the same as yet another > DC. > > (DC accounts are equally powerful as the the administrator really). > > I hope this helps, > > Andrew Bartlett >I agree: being able to online-backup everything puts the backup server on an equal level as the DC. And the same is true for anybody else having access to a backups (online or offline): having a copy of KRBTGT's keytab gives full power to impersonate everybody including all kinds of administrator users, most likely forever. Backups need to be very well protected. IMHO that's the fundamental security weakness of AD (and Kerberos) in general: relying on KRBTGT's keys that reside in storage (for all practical implementations) and rarely get rotated, if at all. Frankly, I wouldn't know how to rotate KRBTGT keys with a samba DC. For Windows DCs it's possible and Microsoft published a script to do so: https://www.microsoft.com/security/blog/2015/02/11/krbtgt-account-password-reset-scripts-now-available-for-customers/ . Would something similar be possible with Samba? Regards, Norbert
On Fri, 2020-10-30 at 23:55 +0100, Norbert Hanke wrote:> On 30.10.2020 20:44, Andrew Bartlett wrote: > > On Fri, 2020-10-30 at 15:21 +0100, Norbert Hanke via samba wrote: > > > On 29.10.2020 18:27, Tom Diehl via samba wrote: > > > > Maybe I am missing something, but what is the secure way to run an > > > > automated > > > > backup on recent versions of samba? Can samba-tool domain backup be > > > > made to use > > > > kerberos so I do not need to store an admin password in an > > > > unencrypted > > > > file? > > > > > > > > Regards, > > > > > > > With Kerberos you need to have an [unencrypted] keytab file. Of > > > course > > > that is better than a password in a file, but it's not fundamentally > > > different. The keytab content is just harder to spell than a > > > password. > > The offline backup is probably better for a cron-job if you are > > hesitant about stored key/passwords. > > > > But then again, a keytab with those same permissions is unencrypted in > > the private folder (with strict permissions naturally) of every DC, so > > the risks on the backup server are relatively the same as yet another > > DC. > > > > (DC accounts are equally powerful as the the administrator really). > > > > I hope this helps, > > > > Andrew Bartlett > > > I agree: being able to online-backup everything puts the backup server > on an equal level as the DC. > > And the same is true for anybody else having access to a backups (online > or offline): having a copy of KRBTGT's keytab gives full power to > impersonate everybody including all kinds of administrator users, most > likely forever. Backups need to be very well protected. > > IMHO that's the fundamental security weakness of AD (and Kerberos) in > general: relying on KRBTGT's keys that reside in storage (for all > practical implementations) and rarely get rotated, if at all. > > Frankly, I wouldn't know how to rotate KRBTGT keys with a samba DC. For > Windows DCs it's possible and Microsoft published a script to do so: > https://www.microsoft.com/security/blog/2015/02/11/krbtgt-account-password-reset-scripts-now-available-for-customers/ > . Would something similar be possible with Samba?Yes, we rotate those keys with: python3 ./source4/scripting/devel/chgkrbtgtpass Also remember to rotate your DC keys if you are doing this becase of concerns, I would run this script twice, just sleep in between to allow a replication pulse: python3 ./source4/scripting/devel/chgtdcpass I would love to have someone step up to fund or implement regular password rotations for these as that Microsoft script suggests doing this automatically without breaking the network is trickier than it might first appear. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba