Web lists-archives.com

[Samba] Samba 4.7+ - RODC and password change support





 Hi,

 I am working on a deployment of Samba as a domain controller, with one central domain controller and several read-only DC.

 The deployment works, and computers seems to interact with the RODCs as they should, but sometimes computers leave the domain after a password change.

 This seems to happen only on RODC where the passwords have been replicated - on one occasion the RODC was not set to store password hashes, and computers connected to this RODC don't seem to have issues.

 Reading the Samba 4.7 release notes, I find the following paragraph :

> Improved Read-Only Domain Controller (RODC) Support
> ---------------------------------------------------
> Support for RODCs in Samba AD until now has been experimental. With this latest > version, many of the critical bugs have been fixed and the RODC can be used in > DC environments requiring no writable behaviour. RODCs now correctly support
> bad password lockouts and password disclosure auditing through the
> msDS-RevealedUsers attribute.

> The fixes made to the RWDC will also allow Windows RODC to function more
> correctly and to avoid strange data omissions such as failures to replicate > groups or updated passwords. *Password changes are currently rejected at the > RODC, although referrals should be given over LDAP. While any bad passwords can > trigger domain-wide lockout, good passwords which have not been replicated yet > for a password change can only be used via NTLM on the RODC (and not Kerberos).**

*> The reliability of RODCs locating a writable partner still requires some
> improvements and so the 'password server' configuration option is generally
> recommended on the RODC.

> Samba 4.7 is the first Samba release to be secure as an RODC or when
> hosting an RODC.  If you have been using earlier Samba versions to
> host or be an RODC, please upgrade.

> In particular see https://bugzilla.samba.org/show_bug.cgi?id=12977 for
> details on the security implications for password disclosure to an
> RODC using earlier versions.


 This seems like limitations related to the password management for RODC.Looking at the release notes for later versions (minor and major releases, up to 4.9), I don't see any mention of those limitations being fixed.

 Could it be related to our observations? Are they still relevant in 4.9?


 I've also found a couple tickets that could be related to the same. They are dated from before 4.7 release, but they've not been updated since then, so I don't know if they still apply to current versions:

 * RODC password sync for members of the "allowed rodc replication
   group" is not working (https://bugzilla.samba.org/show_bug.cgi?id=12771)
 * Computer password change failure makes local secrets.tdb non usable
   (https://bugzilla.samba.org/show_bug.cgi?id=12773)
 * Machine password change does not work on a RODC
   (https://bugzilla.samba.org/show_bug.cgi?id=12774)


 From your experience, are we facing a known bug or limitation, or are there some configuration settings that we are missing ?

 Do you have any recommendations/documentation to set up Samba as a RODC (other than https://wiki.samba.org/index.php/Join_a_domain_as_a_RODC) ?


 Best regards,

 Julien



--
Message envoyé grâce à OBM, la Communication Libre par Linagora

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba