[Samba] Samba 4.7+ - RODC and password change support

Garming Sam garming at catalyst.net.nz
Wed Oct 24 00:33:28 UTC 2018 

DNS updates are already forwarded through a special mechanism via
winbind. The functionality is there and it has worked in the past (this
functionality predates 4.7 by quite a while), but if there's a problem
with it, then it's a bug.

Cheers,

Garming

On 24/10/18 10:22 AM, Rowland Penny wrote:
> On Wed, 24 Oct 2018 09:45:39 +1300
> Garming Sam <garming at catalyst.net.nz> wrote:
>
>> On 23/10/18 9:48 PM, Rowland Penny via samba wrote:
>>> On Tue, 23 Oct 2018 10:07:29 +1300
>>> Garming Sam via samba <samba at lists.samba.org> wrote:
>>>
>>>> Hi,
>>>>
>>>> On 20/10/18 1:26 AM, Julien Ropé via samba wrote:
>>>>>  The deployment works, and computers seems to interact with the
>>>>> RODCs as they should, but sometimes computers leave the domain
>>>>> after a password change.
>>>>>
>>>>>  This seems to happen only on RODC where the passwords have been
>>>>> replicated - on one occasion the RODC was not set to store
>>>>> password hashes, and computers connected to this RODC don't seem
>>>>> to have issues.
>>>>>
>>>>>  This seems like limitations related to the password management
>>>>> for RODC.Looking at the release notes for later versions (minor
>>>>> and major releases, up to 4.9), I don't see any mention of those
>>>>> limitations being fixed.
>>>>>
>>>>>  Could it be related to our observations? Are they still relevant
>>>>> in 4.9?
>>>>>
>>>>>
>>>>>  I've also found a couple tickets that could be related to the
>>>>> same. They are dated from before 4.7 release, but they've not
>>>>> been updated since then, so I don't know if they still apply to
>>>>> current versions:
>>>>>
>>>>>  * RODC password sync for members of the "allowed rodc replication
>>>>>    group" is not working
>>>>> (https://bugzilla.samba.org/show_bug.cgi?id=12771)
>>>> Just marked this bug as fixed (in 4.7).
>>>>
>>>>>  * Computer password change failure makes local secrets.tdb non
>>>>> usable (https://bugzilla.samba.org/show_bug.cgi?id=12773)
>>>>>  * Machine password change does not work on a RODC
>>>>>    (https://bugzilla.samba.org/show_bug.cgi?id=12774)
>>>>>
>>>> I don't believe these issues were fully resolved. Password changes
>>>> are write operations and there is normally a forwarding routine
>>>> that passes them to a writable domain controller (which we have
>>>> yet to implement). There might be some paths that work, but we
>>>> haven't got any tests of this.
>>>>
>>>> There haven't been any improvements in this area since 4.7, as far
>>>> as I know.
>>>>
>>>> Cheers,
>>>>
>>>> Garming
>>>>
>>> When 4.7.0 came out, there was this amongst the release notes:
>>>
>>> Improved Read-Only Domain Controller (RODC) Support
>>>
>>> Support for RODCs in Samba AD until now has been experimental. With
>>> this latest version, many of the critical bugs have been fixed and
>>> the RODC can be used in DC environments requiring no writable
>>> behaviour. 
>>>
>>> This seems to suggest that using an RODC is no longer experimental
>>> and can be using in production.
>>>
>>> However, if there isn't the structure in place to forward all write
>>> operations to an RWDC, then how can it be used in production ?
>> As far as I remember, change passwords initiated by machines shouldn't
>> have unjoined the domain (but passwords could fail to rotate). Most of
>> the write operations just come across as LDAP referrals, so it's
>> generally the client's job to redirect themselves to someone writable.
>> Most write RPC calls are blocked but changing a password over RPC was
>> a special case I don't think we actually understood until after the
>> notes were written.
>>
>> Cheers,
>>
>> Garming
>>
>>> Rowland
>>>  
>>>
> This isn't just about passwords, its very name gives it away, nothing
> is written to AD by an RODC, anything that does need writing to AD must
> be sent to an RWDC and then replicated back. This means that
> samba_dnsupdate will not work with an RODC, it needs to send the
> requests to another DC, but seemingly it isn't happening.
>
> In my opinion, we need to mark RODC's as experimental until there is
> code in place to pass all write operations from an RODC to an RWDC.
>
> Rowland

More information about the samba mailing list