[Samba] Samba 4.7+ - RODC and password change support

Tue Oct 23 21:22:16 UTC 2018

On Wed, 24 Oct 2018 09:45:39 +1300
Garming Sam <garming at catalyst.net.nz> wrote:

> 
> On 23/10/18 9:48 PM, Rowland Penny via samba wrote:
> > On Tue, 23 Oct 2018 10:07:29 +1300
> > Garming Sam via samba <samba at lists.samba.org> wrote:
> >
> >> Hi,
> >>
> >> On 20/10/18 1:26 AM, Julien Ropé via samba wrote:
> >>>  The deployment works, and computers seems to interact with the
> >>> RODCs as they should, but sometimes computers leave the domain
> >>> after a password change.
> >>>
> >>>  This seems to happen only on RODC where the passwords have been
> >>> replicated - on one occasion the RODC was not set to store
> >>> password hashes, and computers connected to this RODC don't seem
> >>> to have issues.
> >>>
> >>>  This seems like limitations related to the password management
> >>> for RODC.Looking at the release notes for later versions (minor
> >>> and major releases, up to 4.9), I don't see any mention of those
> >>> limitations being fixed.
> >>>
> >>>  Could it be related to our observations? Are they still relevant
> >>> in 4.9?
> >>>
> >>>
> >>>  I've also found a couple tickets that could be related to the
> >>> same. They are dated from before 4.7 release, but they've not
> >>> been updated since then, so I don't know if they still apply to
> >>> current versions:
> >>>
> >>>  * RODC password sync for members of the "allowed rodc replication
> >>>    group" is not working
> >>> (https://bugzilla.samba.org/show_bug.cgi?id=12771)
> >> Just marked this bug as fixed (in 4.7).
> >>
> >>>  * Computer password change failure makes local secrets.tdb non
> >>> usable (https://bugzilla.samba.org/show_bug.cgi?id=12773)
> >>>  * Machine password change does not work on a RODC
> >>>    (https://bugzilla.samba.org/show_bug.cgi?id=12774)
> >>>
> >> I don't believe these issues were fully resolved. Password changes
> >> are write operations and there is normally a forwarding routine
> >> that passes them to a writable domain controller (which we have
> >> yet to implement). There might be some paths that work, but we
> >> haven't got any tests of this.
> >>
> >> There haven't been any improvements in this area since 4.7, as far
> >> as I know.
> >>
> >> Cheers,
> >>
> >> Garming
> >>
> > When 4.7.0 came out, there was this amongst the release notes:
> >
> > Improved Read-Only Domain Controller (RODC) Support
> >
> > Support for RODCs in Samba AD until now has been experimental. With
> > this latest version, many of the critical bugs have been fixed and
> > the RODC can be used in DC environments requiring no writable
> > behaviour. 
> >
> > This seems to suggest that using an RODC is no longer experimental
> > and can be using in production.
> >
> > However, if there isn't the structure in place to forward all write
> > operations to an RWDC, then how can it be used in production ?
> 
> As far as I remember, change passwords initiated by machines shouldn't
> have unjoined the domain (but passwords could fail to rotate). Most of
> the write operations just come across as LDAP referrals, so it's
> generally the client's job to redirect themselves to someone writable.
> Most write RPC calls are blocked but changing a password over RPC was
> a special case I don't think we actually understood until after the
> notes were written.
> 
> Cheers,
> 
> Garming
> 
> >
> > Rowland
> >  
> >

This isn't just about passwords, its very name gives it away, nothing
is written to AD by an RODC, anything that does need writing to AD must
be sent to an RWDC and then replicated back. This means that
samba_dnsupdate will not work with an RODC, it needs to send the
requests to another DC, but seemingly it isn't happening.

In my opinion, we need to mark RODC's as experimental until there is
code in place to pass all write operations from an RODC to an RWDC.

Rowland