[Samba] Issues with trust_pw_change and RODC
Orion Poplawski
orion at nwra.com
Tue Oct 18 15:01:28 UTC 2022
Sorry, mostly:
samba-4.10.16-20.el7_9.x86_64
It does seem like it is https://bugzilla.samba.org/show_bug.cgi?id=14984 but
maybe with such an old version it's something else.
I don't seem to be seeing it on our EL8 systems with:
samba-4.15.5-8.el8_6.x86_64
which presumably suffers from the above issue. But they don't seem to contact
the RODCs when doing password changes.
It seems like by option for a workaround now is to set "password server" to
only point to the RWDCs. Does that seem right?
Orion
On 10/17/22 21:50, Andrew Bartlett wrote:
> Which version of Samba is this?
>
> See https://www.youtube.com/watch?v=jAjTeczxMX8
> <https://www.youtube.com/watch?v=jAjTeczxMX8> for a full description of what
> is required to change a trust password on an RODC.
>
> If you are running an older Samba version, you may have hit one of the many
> issues that Metze describes having to work around.
>
> Andrew Bartlett
>
> On Mon, 2022-10-17 at 10:29 -0600, Orion Poplawski via samba wrote:
>> We have three offices/sties each with a RWDC, with two of them with a RODC as
>> well. We are seeing issues when a samba domain member tries to update it's
>> trust password and it uses one of th RODCs instead of a RWDC. e.g.:
>>
>> Oct 11 08:13:06 samba winbindd[1109]: [2022/10/11 08:13:06.047177, 0]
>> ../../source3/libs
>> mb/trusts_util.c:381(trust_pw_change)
>> Oct 11 08:13:06 samba winbindd[1109]: 2022/10/11 08:13:06 :
>> trust_pw_change(NWRA): Verifying passwords remotely
>> netlogon_creds_cli:CLI[SAMBA/SAMBA$]/SRV[RODC/NWRA].
>> Oct 11 08:13:06 samba winbindd[1109]: [2022/10/11 08:13:06.058971, 0]
>> ../../source3/libsmb/trusts_util.c:453(trust_pw_change)
>> Oct 11 08:13:06 samba winbindd[1109]: 2022/10/11 08:13:06 :
>> trust_pw_change(NWRA): Verified old password remotely using
>> netlogon_creds_cli:CLI[SAMBA/SAMBA$]/SRV[RODC/NWRA]
>> Oct 11 08:13:06 samba winbindd[1109]: [2022/10/11 08:13:06.059054, 0]
>> ../../source3/libsmb/trusts_util.c:492(trust_pw_change)
>> Oct 11 08:13:06 samba winbindd[1109]: 2022/10/11 08:13:06 :
>> trust_pw_change(NWRA): Changed password locally
>> Oct 11 08:13:06 samba winbindd[1109]: [2022/10/11 08:13:06.099331, 0]
>> ../../source3/libsmb/trusts_util.c:546(trust_pw_change)
>> Oct 11 08:13:06 samba winbindd[1109]: 2022/10/11 08:13:06 :
>> trust_pw_change(NWRA): Changed password remotely using
>> netlogon_creds_cli:CLI[SAMBA/SAMBA$]/SRV[RODC/NWRA]
>> Oct 11 08:13:06 samba winbindd[1109]: [2022/10/11 08:13:06.115267, 0]
>> ../../source3/libsmb/trusts_util.c:565(trust_pw_change)
>> Oct 11 08:13:06 samba winbindd[1109]: 2022/10/11 08:13:06 :
>> trust_pw_change(NWRA): Finished password change.
>> Oct 11 08:13:06 samba winbindd[1109]: [2022/10/11 08:13:06.119393, 0]
>> ../../source3/libsmb/trusts_util.c:611(trust_pw_change)
>> Oct 11 08:13:06 samba winbindd[1109]:
>> netlogon_creds_cli_auth(netlogon_creds_cli:CLI[SAMBA/SAMBA$]/SRV[RODC/NWRA])
>> failed for new password - NT_STATUS_ACCESS_DENIED!
>>
>> Do I need to point samba only to the RWDCs somehow? Or configure my RODCs
>> differently? Or ?
>>
>> Thanks!
>>
>> Orion
>
> --
>
> Andrew Bartlett (he/him) https://samba.org/~abartlet/
> Samba Team Member (since 2001) https://samba.org
> Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
>
--
Orion Poplawski
IT Systems Manager 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion at nwra.com
Boulder, CO 80301 https://www.nwra.com/
More information about the samba
mailing list