[Samba] Is RODC password replication different from the windows version by design or is it a bug?

Adam Minski aminski316 at gmail.com
Mon Apr 1 06:37:54 UTC 2019 


On 03/29/2019 12:58 PM, Adam Minski wrote:
> 
> 
> On 03/29/2019 10:54 AM, Andrew Bartlett wrote:
>> On Fri, 2019-03-29 at 10:44 +0100, Adam Minski wrote:
>>>
>>> On 03/29/2019 10:37 AM, Andrew Bartlett wrote:
>>>> On Fri, 2019-03-29 at 10:16 +0100, Adam Minski via samba wrote:
>>>>> On 03/28/2019 05:32 PM, Rowland Penny via samba wrote:
>>>>>
>>>>> [...]
>>>>>
>>>>>>> Should the samba RDOC act like the windows version or is it 
>>>>>>> different
>>>>>>> by design?
>>>>>>>
>>>>>>
>>>>>> Yes it should and there is a bug report for something similar 
>>>>>> already,
>>>>>> see here: https://bugzilla.samba.org/show_bug.cgi?id=13377
>>>>>>
>>>>>> I know that is for members of the denied group, but the substance is
>>>>>> the same, users are not getting authenticated on a RODC from a RWDC.
>>>>>>
>>>>>> Can you please add to that bug report ?
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>>
>>>>>
>>>>> Thanks Rowland, that's exactly the topic. Garming Sam has commented it
>>>>> yesterday, the issue is that kerberos forwarding isn't implemented for
>>>>> now. That is exactly what wee seeing, authentication works __after__
>>>>> (from the second attempt on) the initial password sync is done, the
>>>>> first attempt isn't proxied.
>>>>
>>>> It should work, as long as you are using the internal Heimdal KDC, and
>>>> I thought we even had tests for that.  The KDC propagates up a special
>>>> error code to the processing layer to say 'please proxy this packet to
>>>> a full DC' to trigger that
>>>
>>> We use the internal Heimdal KDC, and it doesn't work, at least for
>>> version 4.9.4. Is there any stuff I can test? Or can you give me an
>>> entry point to the code? Thanks.
>>
>> Have a look in source4/kdc/kdc-heimdal.c and source4/kdc/kdc-process.c
>> for how it gets the error HDB_NOT_FOUND_HERE and turns that into
>> KDC_PROXY_REQUEST, which triggers sending it off to another DC.
>>
>> A packet trace should be your first task to confirm nothing is being
>> sent on the any DC.
>>
>> Andrew Bartlett
>>
> 
> 
> Well, my fault. The client isn't trying Kerberos, it's trying LDAP 
> simple binds, which works using MS RODCs, but not for Samba RODCs.
> 
> Sorry for that.
> Adam


I can confirm that for samba-4.9.4 using the internal Heimdal KDC 
Kerberos proxying works, simple bind proxying not. Should the latter 
work? If not, are there plans for supporting that and what is the time 
line? If support for proxying simple binds is not there yet but 
experimental code is ongoing, it would be great if I could include it 
into my builds.

Thanks
Adam

More information about the samba mailing list