On Tue, 23 Oct 2018 10:07:29 +1300 Garming Sam via samba <samba at lists.samba.org> wrote:> Hi, > > On 20/10/18 1:26 AM, Julien Ropé via samba wrote: > > > > The deployment works, and computers seems to interact with the > > RODCs as they should, but sometimes computers leave the domain > > after a password change. > > > > This seems to happen only on RODC where the passwords have been > > replicated - on one occasion the RODC was not set to store password > > hashes, and computers connected to this RODC don't seem to have > > issues. > > > > This seems like limitations related to the password management for > > RODC.Looking at the release notes for later versions (minor and > > major releases, up to 4.9), I don't see any mention of those > > limitations being fixed. > > > > Could it be related to our observations? Are they still relevant > > in 4.9? > > > > > > I've also found a couple tickets that could be related to the same. > > They are dated from before 4.7 release, but they've not been updated > > since then, so I don't know if they still apply to current versions: > > > > * RODC password sync for members of the "allowed rodc replication > > group" is not working > > (https://bugzilla.samba.org/show_bug.cgi?id=12771) > > Just marked this bug as fixed (in 4.7). > > > * Computer password change failure makes local secrets.tdb non > > usable (https://bugzilla.samba.org/show_bug.cgi?id=12773) > > * Machine password change does not work on a RODC > > (https://bugzilla.samba.org/show_bug.cgi?id=12774) > > > I don't believe these issues were fully resolved. Password changes are > write operations and there is normally a forwarding routine that > passes them to a writable domain controller (which we have yet to > implement). There might be some paths that work, but we haven't got > any tests of this. > > There haven't been any improvements in this area since 4.7, as far as > I know. > > Cheers, > > Garming >When 4.7.0 came out, there was this amongst the release notes: Improved Read-Only Domain Controller (RODC) Support Support for RODCs in Samba AD until now has been experimental. With this latest version, many of the critical bugs have been fixed and the RODC can be used in DC environments requiring no writable behaviour. This seems to suggest that using an RODC is no longer experimental and can be using in production. However, if there isn't the structure in place to forward all write operations to an RWDC, then how can it be used in production ? Rowland
On 23/10/18 9:48 PM, Rowland Penny via samba wrote:> On Tue, 23 Oct 2018 10:07:29 +1300 > Garming Sam via samba <samba at lists.samba.org> wrote: > >> Hi, >> >> On 20/10/18 1:26 AM, Julien Ropé via samba wrote: >>> The deployment works, and computers seems to interact with the >>> RODCs as they should, but sometimes computers leave the domain >>> after a password change. >>> >>> This seems to happen only on RODC where the passwords have been >>> replicated - on one occasion the RODC was not set to store password >>> hashes, and computers connected to this RODC don't seem to have >>> issues. >>> >>> This seems like limitations related to the password management for >>> RODC.Looking at the release notes for later versions (minor and >>> major releases, up to 4.9), I don't see any mention of those >>> limitations being fixed. >>> >>> Could it be related to our observations? Are they still relevant >>> in 4.9? >>> >>> >>> I've also found a couple tickets that could be related to the same. >>> They are dated from before 4.7 release, but they've not been updated >>> since then, so I don't know if they still apply to current versions: >>> >>> * RODC password sync for members of the "allowed rodc replication >>> group" is not working >>> (https://bugzilla.samba.org/show_bug.cgi?id=12771) >> Just marked this bug as fixed (in 4.7). >> >>> * Computer password change failure makes local secrets.tdb non >>> usable (https://bugzilla.samba.org/show_bug.cgi?id=12773) >>> * Machine password change does not work on a RODC >>> (https://bugzilla.samba.org/show_bug.cgi?id=12774) >>> >> I don't believe these issues were fully resolved. Password changes are >> write operations and there is normally a forwarding routine that >> passes them to a writable domain controller (which we have yet to >> implement). There might be some paths that work, but we haven't got >> any tests of this. >> >> There haven't been any improvements in this area since 4.7, as far as >> I know. >> >> Cheers, >> >> Garming >> > When 4.7.0 came out, there was this amongst the release notes: > > Improved Read-Only Domain Controller (RODC) Support > > Support for RODCs in Samba AD until now has been experimental. With > this latest version, many of the critical bugs have been fixed and the > RODC can be used in DC environments requiring no writable behaviour. > > This seems to suggest that using an RODC is no longer experimental and > can be using in production. > > However, if there isn't the structure in place to forward all write > operations to an RWDC, then how can it be used in production ?As far as I remember, change passwords initiated by machines shouldn't have unjoined the domain (but passwords could fail to rotate). Most of the write operations just come across as LDAP referrals, so it's generally the client's job to redirect themselves to someone writable. Most write RPC calls are blocked but changing a password over RPC was a special case I don't think we actually understood until after the notes were written. Cheers, Garming> > Rowland > >
On Wed, 24 Oct 2018 09:45:39 +1300 Garming Sam <garming at catalyst.net.nz> wrote:> > On 23/10/18 9:48 PM, Rowland Penny via samba wrote: > > On Tue, 23 Oct 2018 10:07:29 +1300 > > Garming Sam via samba <samba at lists.samba.org> wrote: > > > >> Hi, > >> > >> On 20/10/18 1:26 AM, Julien Ropé via samba wrote: > >>> The deployment works, and computers seems to interact with the > >>> RODCs as they should, but sometimes computers leave the domain > >>> after a password change. > >>> > >>> This seems to happen only on RODC where the passwords have been > >>> replicated - on one occasion the RODC was not set to store > >>> password hashes, and computers connected to this RODC don't seem > >>> to have issues. > >>> > >>> This seems like limitations related to the password management > >>> for RODC.Looking at the release notes for later versions (minor > >>> and major releases, up to 4.9), I don't see any mention of those > >>> limitations being fixed. > >>> > >>> Could it be related to our observations? Are they still relevant > >>> in 4.9? > >>> > >>> > >>> I've also found a couple tickets that could be related to the > >>> same. They are dated from before 4.7 release, but they've not > >>> been updated since then, so I don't know if they still apply to > >>> current versions: > >>> > >>> * RODC password sync for members of the "allowed rodc replication > >>> group" is not working > >>> (https://bugzilla.samba.org/show_bug.cgi?id=12771) > >> Just marked this bug as fixed (in 4.7). > >> > >>> * Computer password change failure makes local secrets.tdb non > >>> usable (https://bugzilla.samba.org/show_bug.cgi?id=12773) > >>> * Machine password change does not work on a RODC > >>> (https://bugzilla.samba.org/show_bug.cgi?id=12774) > >>> > >> I don't believe these issues were fully resolved. Password changes > >> are write operations and there is normally a forwarding routine > >> that passes them to a writable domain controller (which we have > >> yet to implement). There might be some paths that work, but we > >> haven't got any tests of this. > >> > >> There haven't been any improvements in this area since 4.7, as far > >> as I know. > >> > >> Cheers, > >> > >> Garming > >> > > When 4.7.0 came out, there was this amongst the release notes: > > > > Improved Read-Only Domain Controller (RODC) Support > > > > Support for RODCs in Samba AD until now has been experimental. With > > this latest version, many of the critical bugs have been fixed and > > the RODC can be used in DC environments requiring no writable > > behaviour. > > > > This seems to suggest that using an RODC is no longer experimental > > and can be using in production. > > > > However, if there isn't the structure in place to forward all write > > operations to an RWDC, then how can it be used in production ? > > As far as I remember, change passwords initiated by machines shouldn't > have unjoined the domain (but passwords could fail to rotate). Most of > the write operations just come across as LDAP referrals, so it's > generally the client's job to redirect themselves to someone writable. > Most write RPC calls are blocked but changing a password over RPC was > a special case I don't think we actually understood until after the > notes were written. > > Cheers, > > Garming > > > > > Rowland > > > >This isn't just about passwords, its very name gives it away, nothing is written to AD by an RODC, anything that does need writing to AD must be sent to an RWDC and then replicated back. This means that samba_dnsupdate will not work with an RODC, it needs to send the requests to another DC, but seemingly it isn't happening. In my opinion, we need to mark RODC's as experimental until there is code in place to pass all write operations from an RODC to an RWDC. Rowland
> As far as I remember, change passwords initiated by machines shouldn't > have unjoined the domain (but passwords could fail to rotate). Most of > the write operations just come across as LDAP referrals, so it's > generally the client's job to redirect themselves to someone writable. > Most write RPC calls are blocked but changing a password over RPC was a > special case I don't think we actually understood until after the notes > were written.How can I check how the password change is being done (whether LDAP referral or RPC) ? If we are doing it by RPC, shouldn't we see another type of error (because it's blocked) ? For what it's worth: We've verified that forcing an update of the hashes on the RODC after password change did not prevent the error. Le 23/10/2018 à 22:45, Garming Sam via samba a écrit :> On 23/10/18 9:48 PM, Rowland Penny via samba wrote: >> On Tue, 23 Oct 2018 10:07:29 +1300 >> Garming Sam via samba <samba at lists.samba.org> wrote: >> >>> Hi, >>> >>> On 20/10/18 1:26 AM, Julien Ropé via samba wrote: >>>> The deployment works, and computers seems to interact with the >>>> RODCs as they should, but sometimes computers leave the domain >>>> after a password change. >>>> >>>> This seems to happen only on RODC where the passwords have been >>>> replicated - on one occasion the RODC was not set to store password >>>> hashes, and computers connected to this RODC don't seem to have >>>> issues. >>>> >>>> This seems like limitations related to the password management for >>>> RODC.Looking at the release notes for later versions (minor and >>>> major releases, up to 4.9), I don't see any mention of those >>>> limitations being fixed. >>>> >>>> Could it be related to our observations? Are they still relevant >>>> in 4.9? >>>> >>>> >>>> I've also found a couple tickets that could be related to the same. >>>> They are dated from before 4.7 release, but they've not been updated >>>> since then, so I don't know if they still apply to current versions: >>>> >>>> * RODC password sync for members of the "allowed rodc replication >>>> group" is not working >>>> (https://bugzilla.samba.org/show_bug.cgi?id=12771) >>> Just marked this bug as fixed (in 4.7). >>> >>>> * Computer password change failure makes local secrets.tdb non >>>> usable (https://bugzilla.samba.org/show_bug.cgi?id=12773) >>>> * Machine password change does not work on a RODC >>>> (https://bugzilla.samba.org/show_bug.cgi?id=12774) >>>> >>> I don't believe these issues were fully resolved. Password changes are >>> write operations and there is normally a forwarding routine that >>> passes them to a writable domain controller (which we have yet to >>> implement). There might be some paths that work, but we haven't got >>> any tests of this. >>> >>> There haven't been any improvements in this area since 4.7, as far as >>> I know. >>> >>> Cheers, >>> >>> Garming >>> >> When 4.7.0 came out, there was this amongst the release notes: >> >> Improved Read-Only Domain Controller (RODC) Support >> >> Support for RODCs in Samba AD until now has been experimental. With >> this latest version, many of the critical bugs have been fixed and the >> RODC can be used in DC environments requiring no writable behaviour. >> >> This seems to suggest that using an RODC is no longer experimental and >> can be using in production. >> >> However, if there isn't the structure in place to forward all write >> operations to an RWDC, then how can it be used in production ? > As far as I remember, change passwords initiated by machines shouldn't > have unjoined the domain (but passwords could fail to rotate). Most of > the write operations just come across as LDAP referrals, so it's > generally the client's job to redirect themselves to someone writable. > Most write RPC calls are blocked but changing a password over RPC was a > special case I don't think we actually understood until after the notes > were written. > > Cheers, > > Garming > >> Rowland >> >>-- Message envoyé grâce à OBM, la Communication Libre par Linagora