RE: Denial of service when using Active Directory for KDC ? - Kerberos

This is a discussion on RE: Denial of service when using Active Directory for KDC ? - Kerberos ; Javier, Thankyou. I have a related question for your : In order to use a user account which is then used to run ktpass against I need to first create the user account (e.g. service.account@domain.com ). When I use ktpass ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: RE: Denial of service when using Active Directory for KDC ?

  1. RE: Denial of service when using Active Directory for KDC ?

    Javier,

    Thankyou. I have a related question for your :

    In order to use a user account which is then used to run ktpass against I need to first create the user account (e.g. service.account@domain.com). When I use ktpass I specify the name of this account using the -mapuser parameter.

    With the above in consideration, surely it is possible to use kinit, or windows logon, or some other authentication method to logon as service.account@domain.com and cause this account to get locked when password attempt is wrong > x times ?

    If I understand it correctly the principal name given when ktpass is run is used as an alias, but the account in AD can still be accessed using the firstname.lastname@domain format ?

    I look forward to your feedback.

    Regards, Tim

    ________________________________

    From: jpbermejo [mailto:jpbermejo@prisacom.com]
    Sent: Fri 06/05/2005 09:34
    To: Markus Moeller; Tim Alsop
    Cc: kerberos@mit.edu
    Subject: Re: Denial of service when using Active Directory for KDC ?



    On Thu, 2005-05-05 at 21:52 +0100, Markus Moeller wrote:
    > Tim,
    > in our setup we use computer accounts instead of user accounts, and don't
    > have experienced this issue. I think the latest ktpass can do this with
    > mapuser having a $ at the end.


    I don't know about computer accounts, but this DoS is not possible if
    you are using service principals. Active Directory doesn't allow login
    for service principals, and keytab are only useful to decrypt tickets.
    Making an ldap query to AD, you can get things like

    dNSHostName: sist03lnx.domain.com
    userPrincipalName: HOST/sist03lnx@DOMAIN.COM
    servicePrincipalName: HTTP/sist03lnx.domain.com
    servicePrincipalName: HTTP/sist03lnx

    In this case, only HOST/sist03lnx keytab works with `kinit -k`. If you
    attempt to get a TGT with the other principals, you get nothing.

    Javier Palacios


    ================================================== ==========================
    This e-mail message and any attached files are intended SOLELY for the addressee/s identified
    herein. It may contain CONFIDENTIAL and/or LEGALLY PRIVILEGED information and may not
    necessarily represent the opinion of this company. If you receive this message in ERROR,
    please immediately notify the sender and DELETE it since you ARE NOT AUTHORIZED to use,
    disclose, distribute, print or copy all or part of the contained information. Thank you.
    ================================================== ==========================




    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. RE: Denial of service when using Active Directory for KDC ?

    On Fri, 2005-05-06 at 11:28 +0200, Tim Alsop wrote:
    > Javier,
    >
    > Thankyou. I have a related question for your :
    >
    > In order to use a user account which is then used to run ktpass
    > against I need to first create the user account (e.g.


    I did use that method many months ago, with a 2000 domain. Now, with a
    2003 domain I've actually never tried ktpass seriously, and I use either
    samba or css_adkadmin. The first one forces node.domain.com into node$
    as principal name, where the second allows HOST/node.domain.com. Both
    are standar computer accounts as any other windows machine.
    You can get a TGT (or any other tickets) for these principals using the
    proper keytab.

    > If I understand it correctly the principal name given when ktpass is
    > run is used as an alias, but the account in AD can still be accessed
    > using the firstname.lastname@domain format ?


    As I don't use ktpass anymore, no alias or mapping to user accounts is
    performed. With both samba and adkadmin you can create service
    principals, and those are again pure windows service principals (as, for
    example LDAP/your.domain.controller). Those principals, at least on the
    unix side, are not allowed to acquire tickets (neither tgt nor service
    ones), so they cannot be 'denialed' anyway as the keytab is only used to
    decrypt tickets from other requesting principals.

    Javier Palacios



    ================================================== ==========================
    This e-mail message and any attached files are intended SOLELY for the addressee/s identified
    herein. It may contain CONFIDENTIAL and/or LEGALLY PRIVILEGED information and may not
    necessarily represent the opinion of this company. If you receive this message in ERROR,
    please immediately notify the sender and DELETE it since you ARE NOT AUTHORIZED to use,
    disclose, distribute, print or copy all or part of the contained information. Thank you.
    ================================================== ==========================


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread