Web lists-archives.com

Re: [Samba] Samba 4.7+ - RODC and password change support




As far as I remember, change passwords initiated by machines shouldn't
have unjoined the domain (but passwords could fail to rotate). Most of
the write operations just come across as LDAP referrals, so it's
generally the client's job to redirect themselves to someone writable.
Most write RPC calls are blocked but changing a password over RPC was a
special case I don't think we actually understood until after the notes
were written.


How can I check how the password change is being done (whether LDAP referral or RPC) ?

If we are doing it by RPC, shouldn't we see another type of error (because it's blocked) ?


For what it's worth: We've verified that forcing an update of the hashes on the RODC after password change did not prevent the error.




Le 23/10/2018 à 22:45, Garming Sam via samba a écrit :
On 23/10/18 9:48 PM, Rowland Penny via samba wrote:
On Tue, 23 Oct 2018 10:07:29 +1300
Garming Sam via samba <samba@xxxxxxxxxxxxxxx> wrote:

Hi,

On 20/10/18 1:26 AM, Julien Ropé via samba wrote:
  The deployment works, and computers seems to interact with the
RODCs as they should, but sometimes computers leave the domain
after a password change.

  This seems to happen only on RODC where the passwords have been
replicated - on one occasion the RODC was not set to store password
hashes, and computers connected to this RODC don't seem to have
issues.

  This seems like limitations related to the password management for
RODC.Looking at the release notes for later versions (minor and
major releases, up to 4.9), I don't see any mention of those
limitations being fixed.

  Could it be related to our observations? Are they still relevant
in 4.9?


  I've also found a couple tickets that could be related to the same.
They are dated from before 4.7 release, but they've not been updated
since then, so I don't know if they still apply to current versions:

  * RODC password sync for members of the "allowed rodc replication
    group" is not working
(https://bugzilla.samba.org/show_bug.cgi?id=12771)
Just marked this bug as fixed (in 4.7).

  * Computer password change failure makes local secrets.tdb non
usable (https://bugzilla.samba.org/show_bug.cgi?id=12773)
  * Machine password change does not work on a RODC
    (https://bugzilla.samba.org/show_bug.cgi?id=12774)

I don't believe these issues were fully resolved. Password changes are
write operations and there is normally a forwarding routine that
passes them to a writable domain controller (which we have yet to
implement). There might be some paths that work, but we haven't got
any tests of this.

There haven't been any improvements in this area since 4.7, as far as
I know.

Cheers,

Garming

When 4.7.0 came out, there was this amongst the release notes:

Improved Read-Only Domain Controller (RODC) Support

Support for RODCs in Samba AD until now has been experimental. With
this latest version, many of the critical bugs have been fixed and the
RODC can be used in DC environments requiring no writable behaviour.

This seems to suggest that using an RODC is no longer experimental and
can be using in production.

However, if there isn't the structure in place to forward all write
operations to an RWDC, then how can it be used in production ?
As far as I remember, change passwords initiated by machines shouldn't
have unjoined the domain (but passwords could fail to rotate). Most of
the write operations just come across as LDAP referrals, so it's
generally the client's job to redirect themselves to someone writable.
Most write RPC calls are blocked but changing a password over RPC was a
special case I don't think we actually understood until after the notes
were written.

Cheers,

Garming

Rowland
--
Message envoyé grâce à OBM, la Communication Libre par Linagora

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba