[Samba] Is RODC password replication different from the windows version by design or is it a bug?

Andrew Bartlett abartlet at samba.org
Mon Apr 1 07:38:51 UTC 2019 

On Mon, 2019-04-01 at 08:37 +0200, Adam Minski wrote:
> 
> On 03/29/2019 12:58 PM, Adam Minski wrote:
> > 
> > On 03/29/2019 10:54 AM, Andrew Bartlett wrote:
> > > On Fri, 2019-03-29 at 10:44 +0100, Adam Minski wrote:
> > > > On 03/29/2019 10:37 AM, Andrew Bartlett wrote:
> > > > > On Fri, 2019-03-29 at 10:16 +0100, Adam Minski via samba wrote:
> > > > > > On 03/28/2019 05:32 PM, Rowland Penny via samba wrote:
> > > > > > 
> > > > > > [...]
> > > > > > 
> > > > > > > > Should the samba RDOC act like the windows version or is it 
> > > > > > > > different
> > > > > > > > by design?
> > > > > > > > 
> > > > > > > 
> > > > > > > Yes it should and there is a bug report for something similar 
> > > > > > > already,
> > > > > > > see here: https://bugzilla.samba.org/show_bug.cgi?id=13377
> > > > > > > 
> > > > > > > I know that is for members of the denied group, but the substance is
> > > > > > > the same, users are not getting authenticated on a RODC from a RWDC.
> > > > > > > 
> > > > > > > Can you please add to that bug report ?
> > > > > > > 
> > > > > > > Rowland
> > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > > Thanks Rowland, that's exactly the topic. Garming Sam has commented it
> > > > > > yesterday, the issue is that kerberos forwarding isn't implemented for
> > > > > > now. That is exactly what wee seeing, authentication works __after__
> > > > > > (from the second attempt on) the initial password sync is done, the
> > > > > > first attempt isn't proxied.
> > > > > 
> > > > > It should work, as long as you are using the internal Heimdal KDC, and
> > > > > I thought we even had tests for that.  The KDC propagates up a special
> > > > > error code to the processing layer to say 'please proxy this packet to
> > > > > a full DC' to trigger that
> > > > 
> > > > We use the internal Heimdal KDC, and it doesn't work, at least for
> > > > version 4.9.4. Is there any stuff I can test? Or can you give me an
> > > > entry point to the code? Thanks.
> > > 
> > > Have a look in source4/kdc/kdc-heimdal.c and source4/kdc/kdc-process.c
> > > for how it gets the error HDB_NOT_FOUND_HERE and turns that into
> > > KDC_PROXY_REQUEST, which triggers sending it off to another DC.
> > > 
> > > A packet trace should be your first task to confirm nothing is being
> > > sent on the any DC.
> > > 
> > > Andrew Bartlett
> > > 
> > 
> > Well, my fault. The client isn't trying Kerberos, it's trying LDAP 
> > simple binds, which works using MS RODCs, but not for Samba RODCs.
> > 
> > Sorry for that.
> > Adam
> 
> I can confirm that for samba-4.9.4 using the internal Heimdal KDC 
> Kerberos proxying works, simple bind proxying not. Should the latter 
> work? If not, are there plans for supporting that and what is the time 
> line? If support for proxying simple binds is not there yet but 
> experimental code is ongoing, it would be great if I could include it 
> into my builds.

Its just a bug, I expect there will be a fix soon.

In terms of 'experimental code' the best way to help test Samba's new
features is to run git master and give us feedback or at least to run
our release candidates.  While we hesitate to suggest running
unreleased code in production, sadly these are so rarely used in
production-like environments that we get supprises like this when
releases come out. 

We do write extensive tests Samba's features, particularly when new
features are added or bugs are fixed, but the biggest challenges are in
the 'unknown unknowns', areas we didn't know were not tested.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list