[Samba] Issues with trust_pw_change and RODC

Andrew Bartlett abartlet at samba.org
Tue Oct 18 03:50:59 UTC 2022


Which version of Samba is this?

See https://www.youtube.com/watch?v=jAjTeczxMX8 for a full description
of what is required to change a trust password on an RODC.

If you are running an older Samba version, you may have hit one of the
many issues that Metze describes having to work around.

Andrew Bartlett

On Mon, 2022-10-17 at 10:29 -0600, Orion Poplawski via samba wrote:
> We have three offices/sties each with a RWDC, with two of them with a RODC as
> well.  We are seeing issues when a samba domain member tries to update it's
> trust password and it uses one of th RODCs instead of a RWDC.  e.g.:
> 
> Oct 11 08:13:06 samba winbindd[1109]: [2022/10/11 08:13:06.047177,  0]
> ../../source3/libs
> mb/trusts_util.c:381(trust_pw_change)
> Oct 11 08:13:06 samba winbindd[1109]:   2022/10/11 08:13:06 :
> trust_pw_change(NWRA): Verifying passwords remotely
> netlogon_creds_cli:CLI[SAMBA/SAMBA$]/SRV[RODC/NWRA].
> Oct 11 08:13:06 samba winbindd[1109]: [2022/10/11 08:13:06.058971,  0]
> ../../source3/libsmb/trusts_util.c:453(trust_pw_change)
> Oct 11 08:13:06 samba winbindd[1109]:   2022/10/11 08:13:06 :
> trust_pw_change(NWRA): Verified old password remotely using
> netlogon_creds_cli:CLI[SAMBA/SAMBA$]/SRV[RODC/NWRA]
> Oct 11 08:13:06 samba winbindd[1109]: [2022/10/11 08:13:06.059054,  0]
> ../../source3/libsmb/trusts_util.c:492(trust_pw_change)
> Oct 11 08:13:06 samba winbindd[1109]:   2022/10/11 08:13:06 :
> trust_pw_change(NWRA): Changed password locally
> Oct 11 08:13:06 samba winbindd[1109]: [2022/10/11 08:13:06.099331,  0]
> ../../source3/libsmb/trusts_util.c:546(trust_pw_change)
> Oct 11 08:13:06 samba winbindd[1109]:   2022/10/11 08:13:06 :
> trust_pw_change(NWRA): Changed password remotely using
> netlogon_creds_cli:CLI[SAMBA/SAMBA$]/SRV[RODC/NWRA]
> Oct 11 08:13:06 samba winbindd[1109]: [2022/10/11 08:13:06.115267,  0]
> ../../source3/libsmb/trusts_util.c:565(trust_pw_change)
> Oct 11 08:13:06 samba winbindd[1109]:   2022/10/11 08:13:06 :
> trust_pw_change(NWRA): Finished password change.
> Oct 11 08:13:06 samba winbindd[1109]: [2022/10/11 08:13:06.119393,  0]
> ../../source3/libsmb/trusts_util.c:611(trust_pw_change)
> Oct 11 08:13:06 samba winbindd[1109]:
> netlogon_creds_cli_auth(netlogon_creds_cli:CLI[SAMBA/SAMBA$]/SRV[RODC/NWRA])
> failed for new password - NT_STATUS_ACCESS_DENIED!
> 
> Do I need to point samba only to the RWDCs somehow?  Or configure my RODCs
> differently?  Or ?
> 
> Thanks!
> 
> Orion

-- 
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba



More information about the samba mailing list