[Samba] Issues with trust_pw_change and RODC
Andrew Bartlett
abartlet at samba.org
Tue Oct 18 17:57:12 UTC 2022
I agree with your analysis, and suggested workaround. But please run
supported versions of Samba, there is so much we have done in the past
3 and more years.
Andrew Bartlett
On Tue, 2022-10-18 at 09:01 -0600, Orion Poplawski wrote:
> Sorry, mostly:
>
> samba-4.10.16-20.el7_9.x86_64
>
> It does seem like it is https://bugzilla.samba.org/show_bug.cgi?id=14984 but
> maybe with such an old version it's something else.
>
> I don't seem to be seeing it on our EL8 systems with:
>
> samba-4.15.5-8.el8_6.x86_64
>
> which presumably suffers from the above issue. But they don't seem to contact
> the RODCs when doing password changes.
>
> It seems like by option for a workaround now is to set "password server" to
> only point to the RWDCs. Does that seem right?
>
> Orion
>
> On 10/17/22 21:50, Andrew Bartlett wrote:
> > Which version of Samba is this?
> >
> > See https://www.youtube.com/watch?v=jAjTeczxMX8
> > <https://www.youtube.com/watch?v=jAjTeczxMX8> for a full description of what
> > is required to change a trust password on an RODC.
> >
> > If you are running an older Samba version, you may have hit one of the many
> > issues that Metze describes having to work around.
> >
> > Andrew Bartlett
> >
> > On Mon, 2022-10-17 at 10:29 -0600, Orion Poplawski via samba wrote:
> > > We have three offices/sties each with a RWDC, with two of them with a RODC as
> > > well. We are seeing issues when a samba domain member tries to update it's
> > > trust password and it uses one of th RODCs instead of a RWDC. e.g.:
> > >
> > > Oct 11 08:13:06 samba winbindd[1109]: [2022/10/11 08:13:06.047177, 0]
> > > ../../source3/libs
> > > mb/trusts_util.c:381(trust_pw_change)
> > > Oct 11 08:13:06 samba winbindd[1109]: 2022/10/11 08:13:06 :
> > > trust_pw_change(NWRA): Verifying passwords remotely
> > > netlogon_creds_cli:CLI[SAMBA/SAMBA$]/SRV[RODC/NWRA].
> > > Oct 11 08:13:06 samba winbindd[1109]: [2022/10/11 08:13:06.058971, 0]
> > > ../../source3/libsmb/trusts_util.c:453(trust_pw_change)
> > > Oct 11 08:13:06 samba winbindd[1109]: 2022/10/11 08:13:06 :
> > > trust_pw_change(NWRA): Verified old password remotely using
> > > netlogon_creds_cli:CLI[SAMBA/SAMBA$]/SRV[RODC/NWRA]
> > > Oct 11 08:13:06 samba winbindd[1109]: [2022/10/11 08:13:06.059054, 0]
> > > ../../source3/libsmb/trusts_util.c:492(trust_pw_change)
> > > Oct 11 08:13:06 samba winbindd[1109]: 2022/10/11 08:13:06 :
> > > trust_pw_change(NWRA): Changed password locally
> > > Oct 11 08:13:06 samba winbindd[1109]: [2022/10/11 08:13:06.099331, 0]
> > > ../../source3/libsmb/trusts_util.c:546(trust_pw_change)
> > > Oct 11 08:13:06 samba winbindd[1109]: 2022/10/11 08:13:06 :
> > > trust_pw_change(NWRA): Changed password remotely using
> > > netlogon_creds_cli:CLI[SAMBA/SAMBA$]/SRV[RODC/NWRA]
> > > Oct 11 08:13:06 samba winbindd[1109]: [2022/10/11 08:13:06.115267, 0]
> > > ../../source3/libsmb/trusts_util.c:565(trust_pw_change)
> > > Oct 11 08:13:06 samba winbindd[1109]: 2022/10/11 08:13:06 :
> > > trust_pw_change(NWRA): Finished password change.
> > > Oct 11 08:13:06 samba winbindd[1109]: [2022/10/11 08:13:06.119393, 0]
> > > ../../source3/libsmb/trusts_util.c:611(trust_pw_change)
> > > Oct 11 08:13:06 samba winbindd[1109]:
> > > netlogon_creds_cli_auth(netlogon_creds_cli:CLI[SAMBA/SAMBA$]/SRV[RODC/NWRA])
> > > failed for new password - NT_STATUS_ACCESS_DENIED!
> > >
> > > Do I need to point samba only to the RWDCs somehow? Or configure my RODCs
> > > differently? Or ?
> > >
> > > Thanks!
> > >
> > > Orion
> >
> > --
> >
> > Andrew Bartlett (he/him) https://samba.org/~abartlet/
> > Samba Team Member (since 2001) https://samba.org
> > Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
> >
>
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
More information about the samba
mailing list