[WIP] Re: [PATCH] Some fixes for Samba RODC
garming at catalyst.net.nz
Tue Apr 18 05:03:24 UTC 2017
The next set of RODC patches I am working on resolve most of the
remaining RODC issues I have outlined. The patches make the RODC
actually properly get a RWDC connection in winbindd. There are still
some edge cases where the RODC may reuse old read-only connections, so
that still is yet to be completely resolved.
The patches allow forwarding of wrong password to a RWDC -- directly
forwarding which allows for success in NTLM, while using dummy password
fields for Kerberos. Local successes can now be forwarded to the RWDC to
unlock the account across the domain using ResetBadPasswordCount in
SendToSam (MS-SAMS). The client side code appears to work correctly
against Windows. The server implementation of the reset bad password
count in Samba is currently missing an access check to ensure only RODC
cached accounts are modified. Otherwise, it all appears to be functional
(albeit without any written tests).
Any comments welcome. I'll be working on some tests to prove that the
resets actually work.
On 10/04/17 11:40, Garming Sam wrote:
> On 05/04/17 12:26, Garming Sam wrote:
>> 2) Password lockouts on the RODC were previously blocked by
>> modification of the replicated attribute lockoutTime (which necessarily
>> caused a referral).
> I've now allowed some password lockout tests to run against the RODC
> (where the secrets exist on the RODC). The tests fail and then pass at
> the expected points during the patches.
More information about the samba-technical