[PATCH] Some fixes for Samba RODC

Garming Sam garming at catalyst.net.nz
Wed Apr 5 00:26:42 UTC 2017


I'm currently working on the RODC, and here are some of the patches I've
got so far. There's three major issues that these patches deal with:

    1) The ability to add and delete objects on the RODC. While these
objects are never replicated back, they will almost certainly cause
replication issues.

    2) Password lockouts on the RODC were previously blocked by
modification of the replicated attribute lockoutTime (which necessarily
caused a referral).

    3) RODC never seemed to receive push-replication from its
replication partner (DNS records were suspect, and UpdateRefs was never
called in join.py).

Also included is removal of a non-necessary (but almost always acquired)
LDB transaction during GetNCChanges which could have caused issues, a
change to the LDAP referral string to point to the PDC, and some tests
to prove the behaviour of referrals.

I'm currently still working on making RODC password forwarding more
reliable and more complete (various bugs in winbindd and libads). The
remaining issues are (which are in various states of completion):

    - Failed (NTLM) logins do not fail over to a RWDC if the password
exists on the RODC

    - NTLM password forwarding is functional, but unreliable because it
can contact another RODC (or itself)

    - Bad password count is neither forwarded, nor reset on a RWDC
(preferably the PDC) to cause domain-wide lockout

    - Automatic preloading of users does not work when using Kerberos

As it is though, the patches thus far should be effectively complete and
can be integrated into master. Any thoughts or ideas are welcome.



-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: rodc.patch
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170405/cb40b3ab/rodc.patch>

More information about the samba-technical mailing list