[Samba] Issues with trust_pw_change and RODC

Orion Poplawski orion at nwra.com
Mon Oct 17 16:29:19 UTC 2022 

We have three offices/sties each with a RWDC, with two of them with a RODC as
well.  We are seeing issues when a samba domain member tries to update it's
trust password and it uses one of th RODCs instead of a RWDC.  e.g.:

Oct 11 08:13:06 samba winbindd[1109]: [2022/10/11 08:13:06.047177,  0]
../../source3/libs
mb/trusts_util.c:381(trust_pw_change)
Oct 11 08:13:06 samba winbindd[1109]:   2022/10/11 08:13:06 :
trust_pw_change(NWRA): Verifying passwords remotely
netlogon_creds_cli:CLI[SAMBA/SAMBA$]/SRV[RODC/NWRA].
Oct 11 08:13:06 samba winbindd[1109]: [2022/10/11 08:13:06.058971,  0]
../../source3/libsmb/trusts_util.c:453(trust_pw_change)
Oct 11 08:13:06 samba winbindd[1109]:   2022/10/11 08:13:06 :
trust_pw_change(NWRA): Verified old password remotely using
netlogon_creds_cli:CLI[SAMBA/SAMBA$]/SRV[RODC/NWRA]
Oct 11 08:13:06 samba winbindd[1109]: [2022/10/11 08:13:06.059054,  0]
../../source3/libsmb/trusts_util.c:492(trust_pw_change)
Oct 11 08:13:06 samba winbindd[1109]:   2022/10/11 08:13:06 :
trust_pw_change(NWRA): Changed password locally
Oct 11 08:13:06 samba winbindd[1109]: [2022/10/11 08:13:06.099331,  0]
../../source3/libsmb/trusts_util.c:546(trust_pw_change)
Oct 11 08:13:06 samba winbindd[1109]:   2022/10/11 08:13:06 :
trust_pw_change(NWRA): Changed password remotely using
netlogon_creds_cli:CLI[SAMBA/SAMBA$]/SRV[RODC/NWRA]
Oct 11 08:13:06 samba winbindd[1109]: [2022/10/11 08:13:06.115267,  0]
../../source3/libsmb/trusts_util.c:565(trust_pw_change)
Oct 11 08:13:06 samba winbindd[1109]:   2022/10/11 08:13:06 :
trust_pw_change(NWRA): Finished password change.
Oct 11 08:13:06 samba winbindd[1109]: [2022/10/11 08:13:06.119393,  0]
../../source3/libsmb/trusts_util.c:611(trust_pw_change)
Oct 11 08:13:06 samba winbindd[1109]:
netlogon_creds_cli_auth(netlogon_creds_cli:CLI[SAMBA/SAMBA$]/SRV[RODC/NWRA])
failed for new password - NT_STATUS_ACCESS_DENIED!

Do I need to point samba only to the RWDCs somehow?  Or configure my RODCs
differently?  Or ?

Thanks!

Orion
-- 
Orion Poplawski
IT Systems Manager                         720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                 https://www.nwra.com/

More information about the samba mailing list