Web lists-archives.com

Re: [Samba] Samba 4.7+ - RODC and password change support




On Tue, 23 Oct 2018 10:07:29 +1300
Garming Sam via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hi,
> 
> On 20/10/18 1:26 AM, Julien Ropé via samba wrote:
> >
> >  The deployment works, and computers seems to interact with the
> > RODCs as they should, but sometimes computers leave the domain
> > after a password change.
> >
> >  This seems to happen only on RODC where the passwords have been
> > replicated - on one occasion the RODC was not set to store password
> > hashes, and computers connected to this RODC don't seem to have
> > issues.
> >
> >  This seems like limitations related to the password management for
> > RODC.Looking at the release notes for later versions (minor and
> > major releases, up to 4.9), I don't see any mention of those
> > limitations being fixed.
> >
> >  Could it be related to our observations? Are they still relevant
> > in 4.9?
> >
> >
> >  I've also found a couple tickets that could be related to the same.
> > They are dated from before 4.7 release, but they've not been updated
> > since then, so I don't know if they still apply to current versions:
> >
> >  * RODC password sync for members of the "allowed rodc replication
> >    group" is not working
> > (https://bugzilla.samba.org/show_bug.cgi?id=12771)
> 
> Just marked this bug as fixed (in 4.7).
> 
> >  * Computer password change failure makes local secrets.tdb non
> > usable (https://bugzilla.samba.org/show_bug.cgi?id=12773)
> >  * Machine password change does not work on a RODC
> >    (https://bugzilla.samba.org/show_bug.cgi?id=12774)
> >
> I don't believe these issues were fully resolved. Password changes are
> write operations and there is normally a forwarding routine that
> passes them to a writable domain controller (which we have yet to
> implement). There might be some paths that work, but we haven't got
> any tests of this.
> 
> There haven't been any improvements in this area since 4.7, as far as
> I know.
> 
> Cheers,
> 
> Garming
> 

When 4.7.0 came out, there was this amongst the release notes:

Improved Read-Only Domain Controller (RODC) Support

Support for RODCs in Samba AD until now has been experimental. With
this latest version, many of the critical bugs have been fixed and the
RODC can be used in DC environments requiring no writable behaviour. 

This seems to suggest that using an RODC is no longer experimental and
can be using in production.

However, if there isn't the structure in place to forward all write
operations to an RWDC, then how can it be used in production ?

Rowland
 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba