Bug 5620 - Domain Controller Role Change
Domain Controller Role Change
Product: mod_auth_ntlm_winbind
Classification: Unclassified
Component: module
Other Windows 2003
: P3 major
: ---
Assigned To: Samba Bugzilla Account
Gerald (Jerry) Carter
: 5621 (view as bug list)
Depends on:
  Show dependency treegraph
Reported: 2008-07-17 08:54 UTC by Doug Jacobsen
Modified: 2014-04-21 15:42 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Doug Jacobsen 2008-07-17 08:54:33 UTC
Winbind paired with krb5-user is able to change the role of any computer in the domain (when using misconfigured setup files). Even the role of the domain controller.

When writing the config files, krb5.conf and smb.conf  if the domain controller (or any other server) is entered in as the computer, then when you attempt to join the computer to the domain the active directory entry for the controller (or server) is overwritten. 

I recently ran into this issue and took down an entire domain doing this, of course the misconfigured files is my fault, but I felt this was not something that should be able to happen in the first place. If a user attempts to connect as the domain controller there should be an error and the user should not be able to continue with the process, at least this is my opinion of how things should work. But i just feel like you shouldn't be able to overwrite the domain controllers attributes in it's own domain.
Comment 1 Guenther Deschner 2008-11-17 07:43:10 UTC
*** Bug 5621 has been marked as a duplicate of this bug. ***
Comment 2 Lars Müller 2014-04-21 15:32:08 UTC
Please reopen if this is still the case with the current Samba 4.0 or 4.1 code

Have you consider to use the Apache mod_auth_kerb from
http://modauthkerb.sourceforge.net/ instead?