I was reviewing a client's setup related to managing Windows Remote accounts with another 'Admin Account' when i observed a setup that boggled my mind.
FTR: My understanding is that PAM expects both the Management and Managed accounts to be of the same "TYPE" - ie linked to an application of the same type. So only a windows remote account can manage a windows remote account and an Active Directory Account can manage an Active Directory account... but you cannot have an Active Directory account (AD Application type) manage a windows remote account (Windows Remote Application Type); the accounts must be of the same type.
Here is the setup i observed.
The client has PAM 3.2.6, several domains and an Account (call it
ADADMINACCT) in each domain that has been granted local administrative privileges on respective member servers by way of nested groups in each server's Local Administrators group.
Each of the AD (
ADADMINACCT) Accounts has been on-boarded into PAM as follows
1. Once for each domain as an AD TYPE of Account (linked to respective Active Directory application for that domain)
- These AD Type accounts are Synchronized and Verified - the password is known
- Password rotation is not expected to ever happen on these accounts.
- These AD accounts however, are not being used for any particular purpose in PAM.
2. Once per Target Device as Windows Remote TYPE Account (linked to a windows remote application for that target device);
- These WinRemoteAgent ADADMINACCT accounts are NEITHER synchronized nor verified
- Password is stored in Password Authority only
- To be 100% clear, these ADADMINACCT accounts ONLY EXIST IN AD - they DO NOT EXIST on the member servers, the Password in PAM on each of these accounts has been manually set to the correct password / to match the AD Account Password (having fun yet?)
Now comes the part i can't wrap my mind around
They have, somehow, been able to on-board member server's local admin accounts (call them
LOCALADMIN) using the Windows Remote (NON-SYNCH'd
ADADMINACCT as the Managing Account).
What's more they've been able to on-board several hundreds
LOCALADMIN accounts (as Windows Remote accounts) and force-set the initial password on those accounts using the
ADADMINACCT Windows Remote Account as the management account.
And it works - Initial on-boarding of the account works as does subsequent Password Rotation and verification; in the GUI the account is shown as verified and we receive success messages while verifying and updating the password; Although i can't explain why it would.
Although it does work, the catalina log shows symptoms of why it shouldn't. Here's an excerpt of from the client's catalina log:
Mar 25, 2020 2:51:50 PM com.cloakware.cspm.server.plugin.targetmanager.WindowsRemoteAgentTargetManager verifyWindowsCredentials
WARNING: Verifying credential for account LOCALADMIN on server cdp-4dgcsvc001.SUB.DOM.com with net rpc didn't succeed. Use rwin to do this operation again.
Mar 25, 2020 2:51:50 PM com.cloakware.cspm.server.plugin.targetmanager.windowsRemoteAgent.WindowsRemoteAgent a
INFO: invokeSMB exit code = 0
Mar 25, 2020 2:51:54 PM com.cloakware.cspm.server.plugin.targetmanager.windowsRemoteAgent.WindowsRemoteAgent execute
INFO: execute exit code = 0
Mar 25, 2020 2:51:54 PM com.cloakware.cspm.server.plugin.targetmanager.windowsRemoteAgent.WindowsRemoteAgent a
INFO: invokeSMB exit code = 0
Mar 25, 2020 2:51:54 PM com.cloakware.cspm.server.plugin.targetmanager.WindowsRemoteAgentTargetManager updateWindowsCredentials
WARNING: Updating credential for account LOCALADMIN on server cdp-4dgcsvc001.SUB.DOM.com by OTHER account with net rpc didn't succeed.Reason: [Failed to set password for 'LOCALADMIN' with error: Failed to connect to IPC$ share on cdp-4dgcsvc001.SUB.DOM.com.protocol negotiation failed: NT_STATUS_CONNECTION_RESET]. Use rwin to do this operation again.
Mar 25, 2020 2:51:54 PM com.cloakware.cspm.server.plugin.targetmanager.windowsRemoteAgent.WindowsRemoteAgent a
INFO: invokeSMB exit code = 0
Mar 25, 2020 2:51:58 PM com.cloakware.cspm.server.plugin.targetmanager.windowsRemoteAgent.WindowsRemoteAgent execute
INFO: execute exit code = 0
For testing purposes, in PAM, we changed the Password on one of the (
ADADMINACCT) Windows Remote Accounts to something that we knew was NOT the correct password for that account; we again, attempted to change the password for the managed
LOCALADMIN account that previously succeeded, but now it failed, with a different error:
PAM-CM-4050: Windows Remote logon failed because of bad username or password, with Administrator account ADADMINACCT on target server 10.14.134.137.
I've tested this setup in my 3.3 clustered environment and i cannot get it to work, i cannot get the password to force set upon initial on-board, i can't get it to spin while managed by an similarly configured admin account - i get this error - which is the behavior that i would expect.
Mar 25, 2020 8:31:26 PM com.ca.pam.rest.PAUtil generateExceptionFromAppCtx
SEVERE: UpdateTargetAccountCmd.invoke Failed to synchronize password with target
Mar 25, 2020 8:31:47 PM com.cloakware.cspm.server.app.impl.VerifyAccountPasswordCmd invoke
WARNING: VerifyAccountPasswordCmd.invoke, end: result=true, accounts=1, duration=106.38549ms
Mar 25, 2020 8:32:23 PM com.cloakware.cspm.server.plugin.targetmanager.WindowsRemoteAgentTargetManager verifyWindowsCredentials
WARNING: Verifying credential for account LOCALADMIN on server 192.168.2.102 with net rpc didn't succeed. Use rwin to do this operation again.
Mar 25, 2020 8:32:28 PM com.cloakware.cspm.server.app.impl.VerifyAccountPasswordCmd invoke
WARNING: VerifyAccountPasswordCmd.invoke, end: result=true, accounts=1, duration=4337.4937ms
Mar 25, 2020 8:32:42 PM com.cloakware.cspm.server.plugin.targetmanager.WindowsRemoteAgentTargetManager verifyWindowsCredentials
WARNING: Verifying credential for account LOCALADMIN on server 192.168.2.102 with net rpc didn't succeed. Use rwin to do this operation again.
Mar 25, 2020 8:32:46 PM com.cloakware.cspm.server.plugin.targetmanager.WindowsRemoteAgentTargetManager updateWindowsCredentials
WARNING: Updating credential for account LOCALADMIN on server 192.168.2.102 by OTHER account with net rpc didn't succeed.
Reason: [mkdir failed on directory /var/run/samba/msg.lock: Permission denied
Failed to set password for 'LOCALADMIN' with error: Failed to connect to IPC$ share on 192.168.2.102.
session setup failed: NT_STATUS_LOGON_FAILURE]. Use rwin to do this operation again.
Mar 25, 2020 8:32:49 PM com.cloakware.cspm.server.app.impl.UpdateTargetAccountCmd invoke
SEVERE: UpdateTargetAccountCmd.invoke 4664: mkdir failed on directory /var/run/samba/msg.lock: Permission denied
Failed to set password for 'LOCALADMIN' with error: Failed to connect to IPC$ share on 192.168.2.102.
session setup failed: NT_STATUS_LOGON_FAILURE
PAM-CM-1104: The specified network account name or password is not correct.
null
Of course the password is correct on both accounts, i've verified them individually.
Any thoughts?
------------------------------
Services Architect
HCL Technologies Ltd
------------------------------