Web lists-archives.com

Re: [Samba] Is RODC password replication different from the windows version by design or is it a bug?




On Fri, 2019-03-29 at 10:44 +0100, Adam Minski wrote:
> 
> On 03/29/2019 10:37 AM, Andrew Bartlett wrote:
> > On Fri, 2019-03-29 at 10:16 +0100, Adam Minski via samba wrote:
> > > On 03/28/2019 05:32 PM, Rowland Penny via samba wrote:
> > > 
> > > [...]
> > > 
> > > > > Should the samba RDOC act like the windows version or is it different
> > > > > by design?
> > > > > 
> > > > 
> > > > Yes it should and there is a bug report for something similar already,
> > > > see here: https://bugzilla.samba.org/show_bug.cgi?id=13377
> > > > 
> > > > I know that is for members of the denied group, but the substance is
> > > > the same, users are not getting authenticated on a RODC from a RWDC.
> > > > 
> > > > Can you please add to that bug report ?
> > > > 
> > > > Rowland
> > > > 
> > > > 
> > > 
> > > Thanks Rowland, that's exactly the topic. Garming Sam has commented it
> > > yesterday, the issue is that kerberos forwarding isn't implemented for
> > > now. That is exactly what wee seeing, authentication works __after__
> > > (from the second attempt on) the initial password sync is done, the
> > > first attempt isn't proxied.
> > 
> > It should work, as long as you are using the internal Heimdal KDC, and
> > I thought we even had tests for that.  The KDC propagates up a special
> > error code to the processing layer to say 'please proxy this packet to
> > a full DC' to trigger that
> 
> We use the internal Heimdal KDC, and it doesn't work, at least for 
> version 4.9.4. Is there any stuff I can test? Or can you give me an 
> entry point to the code? Thanks.

Have a look in source4/kdc/kdc-heimdal.c and source4/kdc/kdc-process.c
for how it gets the error HDB_NOT_FOUND_HERE and turns that into
KDC_PROXY_REQUEST, which triggers sending it off to another DC.  

A packet trace should be your first task to confirm nothing is being
sent on the any DC.

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba