machine password change on memberserver on RODC site

Stefan Metzmacher metze at samba.org
Fri Mar 10 23:23:57 UTC 2017


Hi Denis,

> While testing RODC (4.7 git-head with Garming recent patches), I came
> thought an issue with machine password secret update on memberserver
> quite similar to https://bugzilla.samba.org/show_bug.cgi?id=12262 .

I don't think the problem is a wrong encoding of the password,
so it's not really related to that bug. I guess there's another
reason why the password gets out of sync.

> I have ran into that bug previously on RWDC sites, but patches have made
> their way in 4.6, so I am wondering if this is specific to RODC sites.
> 
> # samba -V
> Version 4.6.0
> 
> # net ads join -U dcardon-adm --server=dc-nantes
> Enter dcardon-adm's password:
> Using short domain name -- TRANQUILIT
> Joined 'TEST-SRVFIC' to dns domain 'tranquilit.lan'
> 
> # wbinfo -t
> checking the trust secret for domain TRANQUILIT via RPC calls succeeded
> 
> # net ads testjoin
> Join is OK
> 
> # killall -9 smbd ; killall -9 winbindd
> 
> # winbindd ; smbd
> 
> # net ads testjoin
> Join is OK
> 
> # wbinfo -t
> checking the trust secret for domain TRANQUILIT via RPC calls succeeded
> 
> # wbinfo -c
> changing the trust secret for domain TRANQUILIT via RPC calls failed
> failed to call wbcChangeTrustCredentials: WBC_ERR_DOMAIN_NOT_FOUND
> Could not change secret

I guess you'll see in the logs that the password
was changed locally, but failed on the server.

We'd have to see how it works against a Windows RODC,
should the member detect the RODC and to the password
change against a RWDC?

Or should the RODC forward the request to the RODC?

It's also possible that the password is in fact changed correctly
on an RWDC, but not yet replicate back to the RODC.

> # net ads testjoin
> kerberos_kinit_password TEST-SRVFIC$@TRANQUILIT.LAN failed:
> Preauthentication failed
> kerberos_kinit_password TEST-SRVFIC$@TRANQUILIT.LAN failed:
> Preauthentication failed
> Join to domain is not valid: Logon failure

net ads testjoin and winbindd are both not able to fallback to
use the previous machine password (yet).

I guess wbinfo -t and net rpc testjoin would still
be successful, because they can use the previous password.

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170311/621dfeaa/signature.sig>


More information about the samba-technical mailing list