Web lists-archives.com

Re: [Samba] Samba 4.7+ - RODC and password change support




On 23/10/18 9:48 PM, Rowland Penny via samba wrote:
> On Tue, 23 Oct 2018 10:07:29 +1300
> Garming Sam via samba <samba@xxxxxxxxxxxxxxx> wrote:
>
>> Hi,
>>
>> On 20/10/18 1:26 AM, Julien Ropé via samba wrote:
>>>  The deployment works, and computers seems to interact with the
>>> RODCs as they should, but sometimes computers leave the domain
>>> after a password change.
>>>
>>>  This seems to happen only on RODC where the passwords have been
>>> replicated - on one occasion the RODC was not set to store password
>>> hashes, and computers connected to this RODC don't seem to have
>>> issues.
>>>
>>>  This seems like limitations related to the password management for
>>> RODC.Looking at the release notes for later versions (minor and
>>> major releases, up to 4.9), I don't see any mention of those
>>> limitations being fixed.
>>>
>>>  Could it be related to our observations? Are they still relevant
>>> in 4.9?
>>>
>>>
>>>  I've also found a couple tickets that could be related to the same.
>>> They are dated from before 4.7 release, but they've not been updated
>>> since then, so I don't know if they still apply to current versions:
>>>
>>>  * RODC password sync for members of the "allowed rodc replication
>>>    group" is not working
>>> (https://bugzilla.samba.org/show_bug.cgi?id=12771)
>> Just marked this bug as fixed (in 4.7).
>>
>>>  * Computer password change failure makes local secrets.tdb non
>>> usable (https://bugzilla.samba.org/show_bug.cgi?id=12773)
>>>  * Machine password change does not work on a RODC
>>>    (https://bugzilla.samba.org/show_bug.cgi?id=12774)
>>>
>> I don't believe these issues were fully resolved. Password changes are
>> write operations and there is normally a forwarding routine that
>> passes them to a writable domain controller (which we have yet to
>> implement). There might be some paths that work, but we haven't got
>> any tests of this.
>>
>> There haven't been any improvements in this area since 4.7, as far as
>> I know.
>>
>> Cheers,
>>
>> Garming
>>
> When 4.7.0 came out, there was this amongst the release notes:
>
> Improved Read-Only Domain Controller (RODC) Support
>
> Support for RODCs in Samba AD until now has been experimental. With
> this latest version, many of the critical bugs have been fixed and the
> RODC can be used in DC environments requiring no writable behaviour. 
>
> This seems to suggest that using an RODC is no longer experimental and
> can be using in production.
>
> However, if there isn't the structure in place to forward all write
> operations to an RWDC, then how can it be used in production ?

As far as I remember, change passwords initiated by machines shouldn't
have unjoined the domain (but passwords could fail to rotate). Most of
the write operations just come across as LDAP referrals, so it's
generally the client's job to redirect themselves to someone writable.
Most write RPC calls are blocked but changing a password over RPC was a
special case I don't think we actually understood until after the notes
were written.

Cheers,

Garming

>
> Rowland
>  
>

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba