The workstation account, netlogon schannel and credentials. SambaXP Volker Lendecke Samba Team / SerNet

Similar documents
SDC EMEA 2019 Tel Aviv

Windows Authentication With Multiple Domains and Forests

The Important Details Of Windows Authentication

Windows Authentication With Multiple Domains and Forests

Windows Authentication With Multiple Domains and Forests

Windows Authentication With Multiple Domains and Forests

SMB2 and SMB3 in Samba: Durable File Handles and Beyond. sambaxp 2012

Cross-realm trusts with FreeIPA v3

The return of the vampires

Samba. OpenLDAP Developer s Day. Volker Lendecke, Günther Deschner Samba Team

SNIA SDC 2018 Santa Clara

Active Directory Attacks and Detection

Security and Privacy in Computer Systems. Lecture 7 The Kerberos authentication system. Security policy, security models, trust Access control models

FreeIPA Cross Forest Trusts

Samba 4 Status Report

GLOBAL CATALOG SERVICE IMPLEMENTATION IN FREEIPA. Alexander Bokovoy Red Hat Inc. May 4th, 2017

Clustered Samba Challenges and Directions. SDC 2016 Santa Clara

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Badlock. One Year In Security Hell. Stefan Metzmacher Samba Team / SerNet

Security Services for Samba4. Andrew Bartlett Samba Team

Network Security Essentials

SMB3 Multi-Channel in Samba

TLS Client Certificate and Smart Card Logon

Pass-the-Hash Attacks. Michael Grafnetter

SerNet. Samba Status Update. SNIA SDC 2011 Santa Clara, CA. Volker Lendecke SerNet Samba Team

Introduction. Trusted Intermediaries. CSC/ECE 574 Computer and Network Security. Outline. CSC/ECE 574 Computer and Network Security.

Improving DCERPC Security

User Authentication. Modified By: Dr. Ramzi Saifan

User Authentication. Modified By: Dr. Ramzi Saifan

Improving DCERPC Security Hardening

Configuring Request Authentication and Authorization

Guide to Windows 2000 Kerberos Settings

CSCE 813 Internet Security Kerberos

CIS 6930/4930 Computer and Network Security. Topic 7. Trusted Intermediaries

Kerberos. Pehr Söderman Natsak08/DD2495 CSC KTH 2008

Trusted Intermediaries

AIT 682: Network and Systems Security

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Kerberos V5. Raj Jain. Washington University in St. Louis

KEY DISTRIBUTION AND USER AUTHENTICATION

Factotum Sep. 24, 2007

CS /29/17. Paul Krzyzanowski 1. Fall 2016: Question 2. Distributed Systems. Fall 2016: Question 2 (cont.) Fall 2016: Question 3

Active Directory Attacks and Detection Part -II

CISNTWK-11. Microsoft Network Server. Chapter 4

Network Security: Kerberos. Tuomas Aura

Pass-the-Hash Attacks

SerNet. Async Programming in Samba. Linuxkongress Oktober Volker Lendecke SerNet Samba Team. Network Service in a Service Network

Fall 2010/Lecture 32 1

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

Acknowledgments. CSE565: Computer Security Lectures 16 & 17 Authentication & Applications

The Kerberos Authentication Service

A new DCERPC infrastructure for Samba

Advanced Security Measures for Clients and Servers

Session Objectives and Takeaways

A new DCERPC infrastructure for Samba

The Kerberos Authentication System Course Outline

Network Security CHAPTER 31. Solutions to Review Questions and Exercises. Review Questions

SQL Server Security. Marek

Kerberos and Public-Key Infrastructure. Key Points. Trust model. Goal of Kerberos

How to Integrate an External Authentication Server

Computers Gone Rogue. Abusing Computer Accounts to Gain Control in an Active Directory Environment. Marina Simakov & Itai Grady

Configuring Content Authentication and Authorization on Standalone Content Engines

ACS 5.x: LDAP Server Configuration Example

Lorikeet Integrated Authentication

Extending Security Functions for Windows NT/2000/XP

Andrew Bartlett Hawker College

PASSWORDS & ENCRYPTION

The Samba-3: Overview, Authentication, Integration

ISSN: EverScience Publications 149

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Managing External Identity Sources

Radius, LDAP, Radius used in Authenticating Users

BCA III Network security and Cryptography Examination-2016 Model Paper 1

Post-Exploitation with WCE v1.2

Active Directory Attacks and Detection

Cryptography and Network Security

Beyond the Horizon. What's after Samba 3.0? (Or is the earth really flat?)

Overview of Authentication Systems

GLOBUS TOOLKIT SECURITY

CS530 Authentication

Securing MQTT. #javaland

SAML-Based SSO Solution

Password policy settings control the complexity and lifetime for passwords. This section discusses each specific password policy setting

Cisco TelePresence Device Authentication on Cisco VCS

MCSM:Directory2012 MCM:Directory2008 MVP:Enterprise Security Certified Ethical Hacker CISA.

Nicolas Williams Staff Engineer Sun Microsystems, Inc.

Samba in a cross protocol environment

Information Security CS 526

Active Directory trust relationships

Distributed Systems Exam 3 Review. Paul Krzyzanowski. Rutgers University. Fall 2016

The Samba-3 Enchilada: Overview, Authentication, Integration

Kerberos MIT protocol

Security+ SY0-501 Study Guide Table of Contents

10 Active Directory Misconfigurations That Lead to Total Compromise Austin, TX 201 W 5th St.

Kerberos and Active Directory symmetric cryptography in practice COSC412

User Authentication Principles and Methods

Deploy and Configure Microsoft LAPS. Step by step guide and useful tips

CTDB + Samba: Scalable Network Storage For The Cloud. Storage Networking World Europe 2011

Advances in the Samba Testsuite

Configure advanced audit policies

Transcription:

The workstation account, netlogon schannel and credentials SambaXP 2018 Göttingen Volker Lendecke Samba Team / SerNet 2018-06-06

Volker Lendecke Samba Status (2 / 10) Why this talk? To me, NETLOGON and schannel were a big mystery I could never remember what kind of key is used when, what can be shared where, what needs to be locked how. In 2017, a customer asked me to optimize the winbind NETLOGON client for a cluster A deep-dive into cli netlogon.c and netlogon creds cli.c was due The results: Some serious optimizations for a clustered environment Me understanding the data structures this talk For all the fine crypto details, ask Metze :-)

Volker Lendecke Samba Status (3 / 10) Active Directory Membership Active Directory is Microsoft s central user database Successor to NT4-based Security Account Manager (SAM) Member workstations and servers delegate authentication and authorization to the domain Multiple requirements for crytpgraphy Workstations need to trust the Domain Controllers (DCs) Rogue DC could fake local root/administrator to members User details need to be encrypted Privacy requirements, offline attacks Authentication yields user session key material

Volker Lendecke Samba Status (4 / 10) Symmetric Cryptography for Membership Trust between domain and members based on a shared secret Every member holds a workstation account Account password used as a shared secret Existing protocols for user password changes can be re-used Kerberos Strong authentication protocol based on symmetric crypto Workstation account service principal Based on tickets with lifetimes NTLM Challenge-Response protocol No tickets, direct queries to the domain NETLOGON Wrapper for pass-through NTLM queries

Volker Lendecke Samba Status (5 / 10) NETLOGON Microsoft RPC interface described in [MS-NRPC] https://msdn.microsoft.com/en-us/library/cc237008.aspx Specifies the Netlogon Remote Protocol, an RPC interface that is used for user and machine authentication on domain-based networks; to replicate the user account database for operating systems earlier than Windows 2000 backup domain controllers; to maintain domain relationships from the members of a domain to the domain controller, among domain controllers for a domain, and between domain controllers across domains; and to discover and manage these relationships.

Volker Lendecke Samba Status (6 / 10) NETLOGON Secure Channel Setup Having a workstation account enables the trusting workstation to establish a NETLOGON secure channel to DCs of the trusted domain RPC-calls used to establish a secure channel: ServerReqChallenge() and ServerAuthenticate() are used for challenge/response authentication Both calls are used on an unauthenticated, plain-text RPC connection Result from a successful ServerAuthenticate: struct netlogon creds CredentialState librpc/idl/schannel.idl Stored in netlogon creds cli.tdb (client) and schannel.tdb (server) netlogon creds cli auth send/recv() in libcli/auth/netlogon creds cli.c do the ReqChallenge/Authenticate steps.

Volker Lendecke Samba Status (7 / 10) Using netlogon creds CredentialState Credentials for encrypted bind to NETLOGON rpc service Custom DCERPC authentication type (auth type=68, schannel) DCERPC bind only passes domain and computer name Session key from netlogon creds CredentialState used like a temporary password and sign/seal crypto seed Once logged in to SCHANNEL, netlogon creds CredentialState is no longer used for this purpose Functions using netr Authenticator netr LogonSamLogon[WithFlags](), netr ServerPasswordSet[2](), netr LogonGetDomainInfo(), netr GetForestTrustInformation() and others. The netr Authenticator implies a global (!) sequence and ordering, thus an exclusive lock on netlogon creds CredentialState required

Volker Lendecke Samba Status (8 / 10) Scaling authentication netr LogonSamLogon() and netr LogonSamLogonWithFlags() use the netr Authenticator Limited to one request in-flight globally Exclusive lock on netlogon creds CredentialState across SamLogon Called the netlogon credential chain in lkcl s book Designed to prevent session highjacking With a secure (signed and encrypted) transport, this is no longer necessary Schannel-protected Netlogon RPC can use netr LogonSamLogonEx(), which avoids the netr Authenticator Multiple connections to a DC have multiple SamLogonEx in flight

Volker Lendecke Samba Status (9 / 10) Implementation issues Requirement: Clustered exclusive and shared locks dbwrap only implements exclusive locks g lock on top of dbwrap implements shared and exclusive locks netlogon creds cli.tdb entries are protected by a g lock Two tdb files involved g lock can now store data We could implement netlogon creds cli.tdb directly using g lock code Let s look at some code

Volker Lendecke Samba Status (10 / 10) Questions? vl@samba.org / vl@sernet.de http://www.sambaxp.org/

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback