[Samba] Samba 4.7+ - RODC and password change support

Julien Ropé jrope at linagora.com
Wed Oct 24 10:10:35 UTC 2018


> As far as I remember, change passwords initiated by machines shouldn't
> have unjoined the domain (but passwords could fail to rotate). Most of
> the write operations just come across as LDAP referrals, so it's
> generally the client's job to redirect themselves to someone writable.
> Most write RPC calls are blocked but changing a password over RPC was a
> special case I don't think we actually understood until after the notes
> were written.


How can I check how the password change is being done (whether LDAP 
referral or RPC) ?

If we are doing it by RPC, shouldn't we see another type of error 
(because it's blocked) ?


For what it's worth: We've verified that forcing an update of the hashes 
on the RODC after password change did not prevent the error.




Le 23/10/2018 à 22:45, Garming Sam via samba a écrit :
> On 23/10/18 9:48 PM, Rowland Penny via samba wrote:
>> On Tue, 23 Oct 2018 10:07:29 +1300
>> Garming Sam via samba <samba at lists.samba.org> wrote:
>>
>>> Hi,
>>>
>>> On 20/10/18 1:26 AM, Julien Ropé via samba wrote:
>>>>   The deployment works, and computers seems to interact with the
>>>> RODCs as they should, but sometimes computers leave the domain
>>>> after a password change.
>>>>
>>>>   This seems to happen only on RODC where the passwords have been
>>>> replicated - on one occasion the RODC was not set to store password
>>>> hashes, and computers connected to this RODC don't seem to have
>>>> issues.
>>>>
>>>>   This seems like limitations related to the password management for
>>>> RODC.Looking at the release notes for later versions (minor and
>>>> major releases, up to 4.9), I don't see any mention of those
>>>> limitations being fixed.
>>>>
>>>>   Could it be related to our observations? Are they still relevant
>>>> in 4.9?
>>>>
>>>>
>>>>   I've also found a couple tickets that could be related to the same.
>>>> They are dated from before 4.7 release, but they've not been updated
>>>> since then, so I don't know if they still apply to current versions:
>>>>
>>>>   * RODC password sync for members of the "allowed rodc replication
>>>>     group" is not working
>>>> (https://bugzilla.samba.org/show_bug.cgi?id=12771)
>>> Just marked this bug as fixed (in 4.7).
>>>
>>>>   * Computer password change failure makes local secrets.tdb non
>>>> usable (https://bugzilla.samba.org/show_bug.cgi?id=12773)
>>>>   * Machine password change does not work on a RODC
>>>>     (https://bugzilla.samba.org/show_bug.cgi?id=12774)
>>>>
>>> I don't believe these issues were fully resolved. Password changes are
>>> write operations and there is normally a forwarding routine that
>>> passes them to a writable domain controller (which we have yet to
>>> implement). There might be some paths that work, but we haven't got
>>> any tests of this.
>>>
>>> There haven't been any improvements in this area since 4.7, as far as
>>> I know.
>>>
>>> Cheers,
>>>
>>> Garming
>>>
>> When 4.7.0 came out, there was this amongst the release notes:
>>
>> Improved Read-Only Domain Controller (RODC) Support
>>
>> Support for RODCs in Samba AD until now has been experimental. With
>> this latest version, many of the critical bugs have been fixed and the
>> RODC can be used in DC environments requiring no writable behaviour.
>>
>> This seems to suggest that using an RODC is no longer experimental and
>> can be using in production.
>>
>> However, if there isn't the structure in place to forward all write
>> operations to an RWDC, then how can it be used in production ?
> As far as I remember, change passwords initiated by machines shouldn't
> have unjoined the domain (but passwords could fail to rotate). Most of
> the write operations just come across as LDAP referrals, so it's
> generally the client's job to redirect themselves to someone writable.
> Most write RPC calls are blocked but changing a password over RPC was a
> special case I don't think we actually understood until after the notes
> were written.
>
> Cheers,
>
> Garming
>
>> Rowland
>>   
>>
--
Message envoyé grâce à OBM, la Communication Libre par Linagora



More information about the samba mailing list