RE: Group membership / Kerberos tickets

From: Laura A. Robinson (larobins_at_bellatlantic.net)
Date: 04/28/05

  • Next message: Miroslaw Slawek Chorazy: "Re: Group membership / Kerberos tickets"
    Date: Thu, 28 Apr 2005 13:19:40 -0400
    To: "'Zack Schiel'" <ZSchiel@blueandco.com>, <focus-ms@securityfocus.com>
    
    

    1. Yes, you are on the right track; this is [cringe- I hate this phrase]
    expected behavior.
    2. Have you tried using Kerbtray or another utility to purge the servers'
    tickets?
    3. If you don't purge the tickets and get new ones, then you're stuck with
    either waiting for about a week if you have the default Kerberos settings in
    your domain, or you have to reboot the servers.
    4. This is the nature of Kerberos; it's not instantaneous in terms of
    deny/grant/group population changes.

    Laura

    > -----Original Message-----
    > From: Zack Schiel [mailto:ZSchiel@blueandco.com]
    > Sent: Thursday, April 28, 2005 10:52 AM
    > To: focus-ms@securityfocus.com
    > Subject: Group membership / Kerberos tickets
    >
    > I'm hoping that someone here can confirm this for me and
    > possibly give a deeper explanation for the behavior that we're seeing.
    >
    > Essentially, we are in the process of creating a series of
    > site GPOs; the default Authenticated Users permission
    > remains, and we've also denied Read and Apply Group Policy to
    > a new group containing certain computers, mainly servers. 
    > The problem that we're running into is that these servers
    > don't appear in RSoP reports as members of the new security
    > group (even though they have been for nearly 24 hours now),
    > and thus they are receiving and applying these GPOs.  When
    > the machines are rebooted, they correctly add the group to
    > their list of security groups to which they belong, and the
    > GPOs are denied. 
    >
    > The obvious solution is to reboot the servers before linking
    > the GPO.  We would of course prefer to avoid rebooting dozens
    > of servers, however. 
    >
    > I believe the reason this happens is that a machine receives
    > its TGT at startup, and the TGT contains SIDs for groups to
    > which the machine belongs.  This TGT is then simply renewed
    > every X number of hours for several days, and thus the list
    > of SIDs isn't updated until the ticket is actually reissued
    > at restart.  Am I on the right track here?  Is there a
    > relatively easy way to force a machine to reissue its TGT
    > without rebooting or causing other issues? 
    >
    > Aside from our current predicament, this seems to be a bit of
    > a security hole-machines can actively receive GPOs to which
    > they have been denied access, long after they are denied that
    > access. 
    >
    > Thanks,
    >
    > -Zack-
    >
    > ______________________
    > Zack Schiel
    > Network Support
    > Blue & Co., LLC
    >
    >
    >
    > --------------------------------------------------------------
    > -------------
    > --------------------------------------------------------------
    > -------------
    >

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: Miroslaw Slawek Chorazy: "Re: Group membership / Kerberos tickets"

    Relevant Pages

    • RE: Group membership / Kerberos tickets
      ... Have you tried using Kerbtray or another utility to purge the servers' ... or you have to reboot the servers. ... > and thus they are receiving and applying these GPOs. ... > its TGT at startup, and the TGT contains SIDs for groups to ...
      (Focus-Microsoft)
    • Re: JCIFS18_15_5D
      ... a Cisco wireless network where we searched for the PC names but did ... remember that the issued went away after we rebooted the servers. ... that this is a naming convention used by some OS or service. ... And ofcourse you should reboot the servers after installing ...
      (microsoft.public.windows.server.general)
    • Re: Weird ADO failure/crash behaviour
      ... which managed nearly 18 months uptime in a single stretch - ... that when I was using Windows NT SP6a, ... Thursday invariably it needed a reboot. ... Servers are all HP Netservers and Compaq ML ...
      (microsoft.public.data.ado)
    • Re: Active Synch, OWA, RPC over HTTPS, quit working
      ... No error messages on either the frontend or backend servers. ... When it happened to the other two boxes, only a reboot cleared it up. ... I have 3 front-end servers load-balanced through a Cisco Content Series ... Authentication form, it seems that all other IIS services fail, without ...
      (microsoft.public.exchange.admin)
    • Re: IBM pSeries Shutdown/Reboot - Recommended Frequency
      ... How often should an IBM pSeries server running AIX 5 ... Our company manages something like seventy AIX servers from the old ... reboot sometime after every 1000 hours of use. ... OLTP, AIX 5.3, no RDBMS, COBOL software using ISAM files. ...
      (comp.unix.aix)