[WIP] Re: [PATCH] Some fixes for Samba RODC
Andrew Bartlett
abartlet at samba.org
Mon May 29 20:01:11 UTC 2017
On Mon, 2017-05-29 at 10:29 +1200, Andrew Bartlett via samba-technical
wrote:
> On Tue, 2017-04-18 at 17:03 +1200, Garming Sam via samba-technical
> wrote:
> > Hi,
> >
> > The next set of RODC patches I am working on resolve most of the
> > remaining RODC issues I have outlined. The patches make the RODC
> > actually properly get a RWDC connection in winbindd. There are still
> > some edge cases where the RODC may reuse old read-only connections,
> > so
> > that still is yet to be completely resolved.
> > The patches allow forwarding of wrong password to a RWDC -- directly
> > forwarding which allows for success in NTLM, while using dummy
> > password
> > fields for Kerberos. Local successes can now be forwarded to the RWDC
> > to
> > unlock the account across the domain using ResetBadPasswordCount in
> > SendToSam (MS-SAMS). The client side code appears to work correctly
> > against Windows. The server implementation of the reset bad password
> > count in Samba is currently missing an access check to ensure only
> > RODC
> > cached accounts are modified. Otherwise, it all appears to be
> > functional
> > (albeit without any written tests).
>
> Attached are the current patches, which I hope to push tomorrow, as
> I've reviewed them all. They make the changes to winbindd required to
> implement these important features, and fill a big gap in our RODC
> support.
These are now in autobuild,
Andrew Bartlett
> Thanks,
>
> Andrew Bartlett
>
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list