KB-0016: Is the ADClient process running on the UNIX box secure?
Question:
Is the ADClient process running on the UNIX box secure?
Answer:
The adclient background process does not listen on any network ports for incoming traffic, it only performs outbound network operations to domain controllers(DC) and domain name servers(DNS). Hence it does not add an extra network vulnerability.
The process runs as root in order to protect its persistent data from unauthorized snooping by non-root users on the same machine. In addition it can be configured to encrypt all the stored local AD cached data using a an encryption key, this protects the cache against physical attack. (for example, stolen hard disk) . It stores all the credentials using tried and tested MIT kerberos implementation of in memory-cache and standard keytab storage format.