Bug 5620 - Domain Controller Role Change
Summary: Domain Controller Role Change
Status: RESOLVED FIXED
Alias: None
Product: mod_auth_ntlm_winbind
Classification: Unclassified
Component: module (show other bugs)
Version: 0.1
Hardware: Other Windows 2003
: P3 major
Target Milestone: ---
Assignee: Samba Bugzilla Account
QA Contact: Gerald (Jerry) Carter (dead mail address)
URL:
Keywords:
: 5621 (view as bug list)
Depends on:
Blocks:
 
Reported: 2008-07-17 08:54 UTC by Doug Jacobsen
Modified: 2014-04-21 15:42 UTC (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Doug Jacobsen 2008-07-17 08:54:33 UTC 
Winbind paired with krb5-user is able to change the role of any computer in the domain (when using misconfigured setup files). Even the role of the domain controller.

When writing the config files, krb5.conf and smb.conf  if the domain controller (or any other server) is entered in as the computer, then when you attempt to join the computer to the domain the active directory entry for the controller (or server) is overwritten. 

I recently ran into this issue and took down an entire domain doing this, of course the misconfigured files is my fault, but I felt this was not something that should be able to happen in the first place. If a user attempts to connect as the domain controller there should be an error and the user should not be able to continue with the process, at least this is my opinion of how things should work. But i just feel like you shouldn't be able to overwrite the domain controllers attributes in it's own domain.
Comment 1 Guenther Deschner 2008-11-17 07:43:10 UTC 
*** Bug 5621 has been marked as a duplicate of this bug. ***
Comment 2 Lars Müller 2014-04-21 15:32:08 UTC 
Please reopen if this is still the case with the current Samba 4.0 or 4.1 code
base?

Have you consider to use the Apache mod_auth_kerb from
http://modauthkerb.sourceforge.net/ instead?