Hi Andrew,
I did set "ms-DS-MachineAccountQuota: 0" and indeed only admins create
users. Is that a sufficient mitigation for the Dollar Ticket attack?
The other thing is I have smb-filesharing for Windows clients and
nfs-filesharing for Linux clients, currently on separate sub-trees to
avoid issues. I would like to consolidate those to one technology,
smb-filesharing.
But I do have some questions:
1. Do I need the unix-extensions for Linux clients (I have disabled <
smb3, i.e. cannot use unix-extensions at the moment)?
2. Are there any thoughts about sharing a home-dir between Windows and
Linux, currently nfs-home is at /home/<user> and smb (windows)
home-dir is somewhere else?
3. Is pam_mount the way to go to mount the smb-homedir at login? I
could not find much on the Wiki.
- Kees
Op 21-06-2022 om 10:09 schreef Andrew Bartlett:> On Tue, 2022-06-14 at 23:25 +0200, Kees van Vloten via samba wrote:
>> Hi Team,
>>
>>
>> I have been using Kerberized nfs4 between 2 domain-members
>> successfully
>> since August last year.
>>
>> All machines are Debian 11. The NFS-server and the desktop run with
>> stock Samba 4.13.
>> In the end I replaced sec=krb5p on both sides (exports and autofs)
>> with
>> sec=sys and then there is immediately access. That tells me the
>> problem
>> must be related to Kerberos, which was my initial suspicion due to
>> the
>> way it stopped working 2 days ago (nothing changed in the
>> configurations
>> on either side).
>>
>> What would be the next thing to investigate?
> This isn't what you were looking for, and want to first say that if
> only administrators in your AD can create users you should be fine, but
> I did want to mention a security concern that hits Kerberised NFS (and
> other non-Samba services in an AD):
>
>
> I would warn you to look at the first few slides of:
>
>
https://sambaxp.org/fileadmin/user_upload/sambaxp2022-Slides/Bartlett-Kerberos.pdf
>
> https://www.youtube.com/watch?v=1BnraIAcybg
>
> Name-based authorization in AD can be very dangerous, if domain users
> are mapping the local users without any DOM\ prefix. If this was a
> Windows AD then accounts can be created in the domain via
> machineAccountQuota that match sensitive local users, like root.
>
> As you run Samba, you are safe if you only delegate user creation to
> users you trust to choose 'safe' names (eg not root$ or root), but
I
> just want to start sharing this concern a bit more broadly.
>
> Andrew,
>