Ubuntu
samba package

net rpc command potentially dangerous on Windows 2003 Server

Bug #358261 reported by therebel22
2
Affects Status Importance Assigned to Milestone
samba (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Binary package hint: samba

Hi,
it is a request feature :

Example :
- you have a Windows 2003 Domain Controller named "dc1".
- you have a linux machine and in smb.conf, a mistake is made : "netbios name" parameter is set to "dc1"

if you want to join machine to your domain, and if you use "net rpc" instead of "net ads", the command will succeed. But the DC1 machine object on your 2003 Domain Controller will be replaced by a new object that referred to the linux machine !

At this point, after reboot, your windows 2003 Domain Controller is unusable (DNS down can't contact Active Directory)

Solution is to use Microsoft tool : netdom resetpwd

It would be great if net rpc detect existing object machine named as linux machine ..

Revision history for this message
Thierry Carrez (ttx) wrote :

It's by design that you can replace an existing object machine. The DC should probably protect itself against overwriting itself.

What happens if you run "net ads join" instead of "net rpc join" ? Does it refuse to overwrite the existing DC machine object ? Could you post the output of both commands ?

Changed in samba (Ubuntu):
status: New → Incomplete
Revision history for this message
therebel22 (therebel22) wrote :

Sorry, i can't test it anymore. I haven't any test DC and my windows admin don't want me to test it again on production DC .. If anybody can ..

Revision history for this message
therebel22 (therebel22) wrote :

I finally have made the test 2 times whith "net ads join" :

root@...: net ads join -U Administrateur -S dc
Joined '...' to realm 'realm'
root@...: net ads join -U Administrateur -S dc
Joined '...' to realm 'realm'

With "net rpc join", 2 times :

root@...: net rpc join -U Administrateur -S dc
Joined domain REALM.
root@...: net rpc join -U Administrateur -S dc
Joined domain REALM.

With "net rpc", we don't know what netbios name has joined domain.
And, there is no check of existing object with same name on DC. For me, it's a pity ..

Revision history for this message
Thierry Carrez (ttx) wrote :

It's consistent with how Windows tools work. By design, you can join as many times as you want, and as long as you give it a Domain Admin password it will overwrite the existing objects in AD (without any warning). So I'd say the tools behave like they should.

I understand that the process is error-prone and especially the DC should not overwrite itself, but that's a server-side issue... not really something we can or should fix from the client side by introducing a difference with how Windows' own tools behave.

Changed in samba (Ubuntu):
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.