[Samba] Samba 4.7+ - RODC and password change support
Julien Ropé
jrope at linagora.com
Fri Oct 19 12:26:34 UTC 2018
Hi,
I am working on a deployment of Samba as a domain controller, with one
central domain controller and several read-only DC.
The deployment works, and computers seems to interact with the RODCs
as they should, but sometimes computers leave the domain after a
password change.
This seems to happen only on RODC where the passwords have been
replicated - on one occasion the RODC was not set to store password
hashes, and computers connected to this RODC don't seem to have issues.
Reading the Samba 4.7 release notes, I find the following paragraph :
> Improved Read-Only Domain Controller (RODC) Support
> ---------------------------------------------------
> Support for RODCs in Samba AD until now has been experimental. With
this latest
> version, many of the critical bugs have been fixed and the RODC can
be used in
> DC environments requiring no writable behaviour. RODCs now correctly
support
> bad password lockouts and password disclosure auditing through the
> msDS-RevealedUsers attribute.
> The fixes made to the RWDC will also allow Windows RODC to function more
> correctly and to avoid strange data omissions such as failures to
replicate
> groups or updated passwords. *Password changes are currently rejected
at the
> RODC, although referrals should be given over LDAP. While any bad
passwords can
> trigger domain-wide lockout, good passwords which have not been
replicated yet
> for a password change can only be used via NTLM on the RODC (and not
Kerberos).**
*> The reliability of RODCs locating a writable partner still requires some
> improvements and so the 'password server' configuration option is
generally
> recommended on the RODC.
> Samba 4.7 is the first Samba release to be secure as an RODC or when
> hosting an RODC. If you have been using earlier Samba versions to
> host or be an RODC, please upgrade.
> In particular see https://bugzilla.samba.org/show_bug.cgi?id=12977 for
> details on the security implications for password disclosure to an
> RODC using earlier versions.
This seems like limitations related to the password management for
RODC.Looking at the release notes for later versions (minor and major
releases, up to 4.9), I don't see any mention of those limitations being
fixed.
Could it be related to our observations? Are they still relevant in 4.9?
I've also found a couple tickets that could be related to the same.
They are dated from before 4.7 release, but they've not been updated
since then, so I don't know if they still apply to current versions:
* RODC password sync for members of the "allowed rodc replication
group" is not working (https://bugzilla.samba.org/show_bug.cgi?id=12771)
* Computer password change failure makes local secrets.tdb non usable
(https://bugzilla.samba.org/show_bug.cgi?id=12773)
* Machine password change does not work on a RODC
(https://bugzilla.samba.org/show_bug.cgi?id=12774)
From your experience, are we facing a known bug or limitation, or are
there some configuration settings that we are missing ?
Do you have any recommendations/documentation to set up Samba as a
RODC (other than https://wiki.samba.org/index.php/Join_a_domain_as_a_RODC) ?
Best regards,
Julien
--
Message envoyé grâce à OBM, la Communication Libre par Linagora
More information about the samba
mailing list