Hi, I am working on a deployment of Samba as a domain controller, with one central domain controller and several read-only DC. The deployment works, and computers seems to interact with the RODCs as they should, but sometimes computers leave the domain after a password change. This seems to happen only on RODC where the passwords have been replicated - on one occasion the RODC was not set to store password hashes, and computers connected to this RODC don't seem to have issues. Reading the Samba 4.7 release notes, I find the following paragraph : > Improved Read-Only Domain Controller (RODC) Support > --------------------------------------------------- > Support for RODCs in Samba AD until now has been experimental. With this latest > version, many of the critical bugs have been fixed and the RODC can be used in > DC environments requiring no writable behaviour. RODCs now correctly support > bad password lockouts and password disclosure auditing through the > msDS-RevealedUsers attribute. > The fixes made to the RWDC will also allow Windows RODC to function more > correctly and to avoid strange data omissions such as failures to replicate > groups or updated passwords. *Password changes are currently rejected at the > RODC, although referrals should be given over LDAP. While any bad passwords can > trigger domain-wide lockout, good passwords which have not been replicated yet > for a password change can only be used via NTLM on the RODC (and not Kerberos).** *> The reliability of RODCs locating a writable partner still requires some > improvements and so the 'password server' configuration option is generally > recommended on the RODC. > Samba 4.7 is the first Samba release to be secure as an RODC or when > hosting an RODC. If you have been using earlier Samba versions to > host or be an RODC, please upgrade. > In particular see https://bugzilla.samba.org/show_bug.cgi?id=12977 for > details on the security implications for password disclosure to an > RODC using earlier versions. This seems like limitations related to the password management for RODC.Looking at the release notes for later versions (minor and major releases, up to 4.9), I don't see any mention of those limitations being fixed. Could it be related to our observations? Are they still relevant in 4.9? I've also found a couple tickets that could be related to the same. They are dated from before 4.7 release, but they've not been updated since then, so I don't know if they still apply to current versions: * RODC password sync for members of the "allowed rodc replication group" is not working (https://bugzilla.samba.org/show_bug.cgi?id=12771) * Computer password change failure makes local secrets.tdb non usable (https://bugzilla.samba.org/show_bug.cgi?id=12773) * Machine password change does not work on a RODC (https://bugzilla.samba.org/show_bug.cgi?id=12774) From your experience, are we facing a known bug or limitation, or are there some configuration settings that we are missing ? Do you have any recommendations/documentation to set up Samba as a RODC (other than https://wiki.samba.org/index.php/Join_a_domain_as_a_RODC) ? Best regards, Julien -- Message envoyé grâce à OBM, la Communication Libre par Linagora
Hi, On 20/10/18 1:26 AM, Julien Ropé via samba wrote:> > The deployment works, and computers seems to interact with the RODCs > as they should, but sometimes computers leave the domain after a > password change. > > This seems to happen only on RODC where the passwords have been > replicated - on one occasion the RODC was not set to store password > hashes, and computers connected to this RODC don't seem to have issues. > > This seems like limitations related to the password management for > RODC.Looking at the release notes for later versions (minor and major > releases, up to 4.9), I don't see any mention of those limitations > being fixed. > > Could it be related to our observations? Are they still relevant in 4.9? > > > I've also found a couple tickets that could be related to the same. > They are dated from before 4.7 release, but they've not been updated > since then, so I don't know if they still apply to current versions: > > * RODC password sync for members of the "allowed rodc replication > group" is not working > (https://bugzilla.samba.org/show_bug.cgi?id=12771)Just marked this bug as fixed (in 4.7).> * Computer password change failure makes local secrets.tdb non usable > (https://bugzilla.samba.org/show_bug.cgi?id=12773) > * Machine password change does not work on a RODC > (https://bugzilla.samba.org/show_bug.cgi?id=12774) >I don't believe these issues were fully resolved. Password changes are write operations and there is normally a forwarding routine that passes them to a writable domain controller (which we have yet to implement). There might be some paths that work, but we haven't got any tests of this. There haven't been any improvements in this area since 4.7, as far as I know. Cheers, Garming> From your experience, are we facing a known bug or limitation, or are > there some configuration settings that we are missing ? > > Do you have any recommendations/documentation to set up Samba as a > RODC (other than > https://wiki.samba.org/index.php/Join_a_domain_as_a_RODC) ? > > > Best regards, > > Julien > > > > -- > Message envoyé grâce à OBM, la Communication Libre par Linagora >
On Tue, 23 Oct 2018 10:07:29 +1300 Garming Sam via samba <samba at lists.samba.org> wrote:> Hi, > > On 20/10/18 1:26 AM, Julien Ropé via samba wrote: > > > > The deployment works, and computers seems to interact with the > > RODCs as they should, but sometimes computers leave the domain > > after a password change. > > > > This seems to happen only on RODC where the passwords have been > > replicated - on one occasion the RODC was not set to store password > > hashes, and computers connected to this RODC don't seem to have > > issues. > > > > This seems like limitations related to the password management for > > RODC.Looking at the release notes for later versions (minor and > > major releases, up to 4.9), I don't see any mention of those > > limitations being fixed. > > > > Could it be related to our observations? Are they still relevant > > in 4.9? > > > > > > I've also found a couple tickets that could be related to the same. > > They are dated from before 4.7 release, but they've not been updated > > since then, so I don't know if they still apply to current versions: > > > > * RODC password sync for members of the "allowed rodc replication > > group" is not working > > (https://bugzilla.samba.org/show_bug.cgi?id=12771) > > Just marked this bug as fixed (in 4.7). > > > * Computer password change failure makes local secrets.tdb non > > usable (https://bugzilla.samba.org/show_bug.cgi?id=12773) > > * Machine password change does not work on a RODC > > (https://bugzilla.samba.org/show_bug.cgi?id=12774) > > > I don't believe these issues were fully resolved. Password changes are > write operations and there is normally a forwarding routine that > passes them to a writable domain controller (which we have yet to > implement). There might be some paths that work, but we haven't got > any tests of this. > > There haven't been any improvements in this area since 4.7, as far as > I know. > > Cheers, > > Garming >When 4.7.0 came out, there was this amongst the release notes: Improved Read-Only Domain Controller (RODC) Support Support for RODCs in Samba AD until now has been experimental. With this latest version, many of the critical bugs have been fixed and the RODC can be used in DC environments requiring no writable behaviour. This seems to suggest that using an RODC is no longer experimental and can be using in production. However, if there isn't the structure in place to forward all write operations to an RWDC, then how can it be used in production ? Rowland
Reasonably Related Threads
- Samba 4.7+ - RODC and password change support
- Samba 4.7+ - RODC and password change support
- Samba 4.7+ - RODC and password change support
- Samba 4.7+ - RODC and password change support
- Is RODC password replication different from the windows version by design or is it a bug?