[Samba] Samba 4.7+ - RODC and password change support

Fri Oct 19 12:26:34 UTC 2018

  Hi,

  I am working on a deployment of Samba as a domain controller, with one 
central domain controller and several read-only DC.

  The deployment works, and computers seems to interact with the RODCs 
as they should, but sometimes computers leave the domain after a 
password change.

  This seems to happen only on RODC where the passwords have been 
replicated - on one occasion the RODC was not set to store password 
hashes, and computers connected to this RODC don't seem to have issues.

  Reading the Samba 4.7 release notes, I find the following paragraph :

 > Improved Read-Only Domain Controller (RODC) Support
 > ---------------------------------------------------
 > Support for RODCs in Samba AD until now has been experimental. With 
this latest
 > version, many of the critical bugs have been fixed and the RODC can 
be used in
 > DC environments requiring no writable behaviour. RODCs now correctly 
support
 > bad password lockouts and password disclosure auditing through the
 > msDS-RevealedUsers attribute.

 > The fixes made to the RWDC will also allow Windows RODC to function more
 > correctly and to avoid strange data omissions such as failures to 
replicate
 > groups or updated passwords. *Password changes are currently rejected 
at the
 > RODC, although referrals should be given over LDAP. While any bad 
passwords can
 > trigger domain-wide lockout, good passwords which have not been 
replicated yet
 > for a password change can only be used via NTLM on the RODC (and not 
Kerberos).**

*> The reliability of RODCs locating a writable partner still requires some
 > improvements and so the 'password server' configuration option is 
generally
 > recommended on the RODC.

 > Samba 4.7 is the first Samba release to be secure as an RODC or when
 > hosting an RODC.  If you have been using earlier Samba versions to
 > host or be an RODC, please upgrade.

 > In particular see https://bugzilla.samba.org/show_bug.cgi?id=12977 for
 > details on the security implications for password disclosure to an
 > RODC using earlier versions.

  This seems like limitations related to the password management for 
RODC.Looking at the release notes for later versions (minor and major 
releases, up to 4.9), I don't see any mention of those limitations being 
fixed.

  Could it be related to our observations? Are they still relevant in 4.9?

  I've also found a couple tickets that could be related to the same. 
They are dated from before 4.7 release, but they've not been updated 
since then, so I don't know if they still apply to current versions:

  * RODC password sync for members of the "allowed rodc replication
    group" is not working (https://bugzilla.samba.org/show_bug.cgi?id=12771)
  * Computer password change failure makes local secrets.tdb non usable
    (https://bugzilla.samba.org/show_bug.cgi?id=12773)
  * Machine password change does not work on a RODC
    (https://bugzilla.samba.org/show_bug.cgi?id=12774)

  From your experience, are we facing a known bug or limitation, or are 
there some configuration settings that we are missing ?

  Do you have any recommendations/documentation to set up Samba as a 
RODC (other than https://wiki.samba.org/index.php/Join_a_domain_as_a_RODC) ?

  Best regards,

  Julien

--
Message envoyé grâce à OBM, la Communication Libre par Linagora