[PATCH] Implement msDS-RevealedUsers for RODC auditing
Denis Cardon
dcardon at tranquil.it
Fri Mar 10 20:27:14 UTC 2017
G'day Garming,
> Here are some patches to implement the msDS-RevealedUsers attribute for
> RODCs. The typical behaviour is that when an RODC replicates passwords,
> the user whose secrets were revealed (to this less privileged domain
> controller) are recorded against the RODC using this attribute.
It is possible to get the msDS-RevealedUsers through ldap query, but I
cannot see them in the RSAT interface. Is it expected in the current
state of the codebase?
> There are a few changes required in order to correctly handled
> multi-valued binary linked attributes (which should also not be modified):
>
> * Handling duplicated backlinks pointing to the same object (as the
> forward links are repeated DNs with different binary portions)
> * Improve dbcheck handling against these links
> * Restricting modification, through previously unimplemented
> restriction of systemOnly attributes
yes that is much better now :-)
> There's a number of tests now written for the auditing behaviour, as
> well as a number of fixes to bugs in the overall RODC (which were found
> through the testing).
thanks a lot for all the hard work. After some successful testing on 4.7
git-master and your patches, I was thinking that it is getting well
enough so I re-networked part of the office on its own firewalled
AD-site with only a RODC to connect to (with fileserver and all).
I just had a issue in the end of the day with the following symptoms :
* high winbind load
* log are spammed with the line [2017/03/10 19:48:25.334808, 0]
../source3/librpc/crypto/gse.c:383(gse_get_client_auth_token)
gse_get_client_auth_token: gss_init_sec_context failed with [
Miscellaneous failure (see text): No next enctype 18 for
hdb-entry](2529638972)
* winbind does not respond, which triggered a watchdog restart samba
process (and thus its winbindd child), which brough things back to normal
* other samba AD process actually seemed to go ok during the issue
By the way you can dismiss the ldap simple bind problem I have talked
about in another mail. It actually works, I did screw up... (need to
take more vacation:-)
Cheers,
Denis
>
> Any thoughts would be appreciated.
>
>
> Cheers,
>
> Garming
>
>
> http://git.catalyst.net.nz/gitweb?p=samba.git;a=shortlog;h=refs/heads/revealed-test-final
>
> git://git.catalyst.net.nz/samba.git revealed-test-final
>
--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint SĂ©bastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr
More information about the samba-technical
mailing list