Web lists-archives.com

Re: [Samba] Samba 4.7+ - RODC and password change support


On 20/10/18 1:26 AM, Julien Ropé via samba wrote:
>  The deployment works, and computers seems to interact with the RODCs
> as they should, but sometimes computers leave the domain after a
> password change.
>  This seems to happen only on RODC where the passwords have been
> replicated - on one occasion the RODC was not set to store password
> hashes, and computers connected to this RODC don't seem to have issues.
>  This seems like limitations related to the password management for
> RODC.Looking at the release notes for later versions (minor and major
> releases, up to 4.9), I don't see any mention of those limitations
> being fixed.
>  Could it be related to our observations? Are they still relevant in 4.9?
>  I've also found a couple tickets that could be related to the same.
> They are dated from before 4.7 release, but they've not been updated
> since then, so I don't know if they still apply to current versions:
>  * RODC password sync for members of the "allowed rodc replication
>    group" is not working
> (https://bugzilla.samba.org/show_bug.cgi?id=12771)

Just marked this bug as fixed (in 4.7).

>  * Computer password change failure makes local secrets.tdb non usable
>    (https://bugzilla.samba.org/show_bug.cgi?id=12773)
>  * Machine password change does not work on a RODC
>    (https://bugzilla.samba.org/show_bug.cgi?id=12774)
I don't believe these issues were fully resolved. Password changes are
write operations and there is normally a forwarding routine that passes
them to a writable domain controller (which we have yet to implement).
There might be some paths that work, but we haven't got any tests of this.

There haven't been any improvements in this area since 4.7, as far as I



>  From your experience, are we facing a known bug or limitation, or are
> there some configuration settings that we are missing ?
>  Do you have any recommendations/documentation to set up Samba as a
> RODC (other than
> https://wiki.samba.org/index.php/Join_a_domain_as_a_RODC) ?
>  Best regards,
>  Julien
> -- 
> Message envoyé grâce à OBM, la Communication Libre par Linagora

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba