samba - Oct 2018 - Samba 4.7+ - RODC and password change support

On Tue, 23 Oct 2018 10:07:29 +1300
Garming Sam via samba <samba at lists.samba.org> wrote:
> Hi,
> 
> On 20/10/18 1:26 AM, Julien Ropé via samba wrote:
> >
> >  The deployment works, and computers seems to interact with the
> > RODCs as they should, but sometimes computers leave the domain
> > after a password change.
> >
> >  This seems to happen only on RODC where the passwords have been
> > replicated - on one occasion the RODC was not set to store password
> > hashes, and computers connected to this RODC don't seem to have
> > issues.
> >
> >  This seems like limitations related to the password management for
> > RODC.Looking at the release notes for later versions (minor and
> > major releases, up to 4.9), I don't see any mention of those
> > limitations being fixed.
> >
> >  Could it be related to our observations? Are they still relevant
> > in 4.9?
> >
> >
> >  I've also found a couple tickets that could be related to the
same.
> > They are dated from before 4.7 release, but they've not been
updated
> > since then, so I don't know if they still apply to current
versions:
> >
> >  * RODC password sync for members of the "allowed rodc
replication
> >    group" is not working
> > (https://bugzilla.samba.org/show_bug.cgi?id=12771)
> 
> Just marked this bug as fixed (in 4.7).
> 
> >  * Computer password change failure makes local secrets.tdb non
> > usable (https://bugzilla.samba.org/show_bug.cgi?id=12773)
> >  * Machine password change does not work on a RODC
> >    (https://bugzilla.samba.org/show_bug.cgi?id=12774)
> >
> I don't believe these issues were fully resolved. Password changes are
> write operations and there is normally a forwarding routine that
> passes them to a writable domain controller (which we have yet to
> implement). There might be some paths that work, but we haven't got
> any tests of this.
> 
> There haven't been any improvements in this area since 4.7, as far as
> I know.
> 
> Cheers,
> 
> Garming
> 
When 4.7.0 came out, there was this amongst the release notes:

Improved Read-Only Domain Controller (RODC) Support

Support for RODCs in Samba AD until now has been experimental. With
this latest version, many of the critical bugs have been fixed and the
RODC can be used in DC environments requiring no writable behaviour. 

This seems to suggest that using an RODC is no longer experimental and
can be using in production.

However, if there isn't the structure in place to forward all write
operations to an RWDC, then how can it be used in production ?

Rowland

On 23/10/18 9:48 PM, Rowland Penny via samba wrote:
> On Tue, 23 Oct 2018 10:07:29 +1300
> Garming Sam via samba <samba at lists.samba.org> wrote:
>
>> Hi,
>>
>> On 20/10/18 1:26 AM, Julien Ropé via samba wrote:
>>>  The deployment works, and computers seems to interact with the
>>> RODCs as they should, but sometimes computers leave the domain
>>> after a password change.
>>>
>>>  This seems to happen only on RODC where the passwords have been
>>> replicated - on one occasion the RODC was not set to store password
>>> hashes, and computers connected to this RODC don't seem to have
>>> issues.
>>>
>>>  This seems like limitations related to the password management for
>>> RODC.Looking at the release notes for later versions (minor and
>>> major releases, up to 4.9), I don't see any mention of those
>>> limitations being fixed.
>>>
>>>  Could it be related to our observations? Are they still relevant
>>> in 4.9?
>>>
>>>
>>>  I've also found a couple tickets that could be related to the
same.
>>> They are dated from before 4.7 release, but they've not been
updated
>>> since then, so I don't know if they still apply to current
versions:
>>>
>>>  * RODC password sync for members of the "allowed rodc
replication
>>>    group" is not working
>>> (https://bugzilla.samba.org/show_bug.cgi?id=12771)
>> Just marked this bug as fixed (in 4.7).
>>
>>>  * Computer password change failure makes local secrets.tdb non
>>> usable (https://bugzilla.samba.org/show_bug.cgi?id=12773)
>>>  * Machine password change does not work on a RODC
>>>    (https://bugzilla.samba.org/show_bug.cgi?id=12774)
>>>
>> I don't believe these issues were fully resolved. Password changes
are
>> write operations and there is normally a forwarding routine that
>> passes them to a writable domain controller (which we have yet to
>> implement). There might be some paths that work, but we haven't got
>> any tests of this.
>>
>> There haven't been any improvements in this area since 4.7, as far
as
>> I know.
>>
>> Cheers,
>>
>> Garming
>>
> When 4.7.0 came out, there was this amongst the release notes:
>
> Improved Read-Only Domain Controller (RODC) Support
>
> Support for RODCs in Samba AD until now has been experimental. With
> this latest version, many of the critical bugs have been fixed and the
> RODC can be used in DC environments requiring no writable behaviour. 
>
> This seems to suggest that using an RODC is no longer experimental and
> can be using in production.
>
> However, if there isn't the structure in place to forward all write
> operations to an RWDC, then how can it be used in production ?
As far as I remember, change passwords initiated by machines shouldn't
have unjoined the domain (but passwords could fail to rotate). Most of
the write operations just come across as LDAP referrals, so it's
generally the client's job to redirect themselves to someone writable.
Most write RPC calls are blocked but changing a password over RPC was a
special case I don't think we actually understood until after the notes
were written.

Cheers,

Garming
>
> Rowland
>  
>

On Wed, 24 Oct 2018 09:45:39 +1300
Garming Sam <garming at catalyst.net.nz> wrote:
> 
> On 23/10/18 9:48 PM, Rowland Penny via samba wrote:
> > On Tue, 23 Oct 2018 10:07:29 +1300
> > Garming Sam via samba <samba at lists.samba.org> wrote:
> >
> >> Hi,
> >>
> >> On 20/10/18 1:26 AM, Julien Ropé via samba wrote:
> >>>  The deployment works, and computers seems to interact with
the
> >>> RODCs as they should, but sometimes computers leave the domain
> >>> after a password change.
> >>>
> >>>  This seems to happen only on RODC where the passwords have
been
> >>> replicated - on one occasion the RODC was not set to store
> >>> password hashes, and computers connected to this RODC
don't seem
> >>> to have issues.
> >>>
> >>>  This seems like limitations related to the password
management
> >>> for RODC.Looking at the release notes for later versions
(minor
> >>> and major releases, up to 4.9), I don't see any mention of
those
> >>> limitations being fixed.
> >>>
> >>>  Could it be related to our observations? Are they still
relevant
> >>> in 4.9?
> >>>
> >>>
> >>>  I've also found a couple tickets that could be related to
the
> >>> same. They are dated from before 4.7 release, but they've
not
> >>> been updated since then, so I don't know if they still
apply to
> >>> current versions:
> >>>
> >>>  * RODC password sync for members of the "allowed rodc
replication
> >>>    group" is not working
> >>> (https://bugzilla.samba.org/show_bug.cgi?id=12771)
> >> Just marked this bug as fixed (in 4.7).
> >>
> >>>  * Computer password change failure makes local secrets.tdb
non
> >>> usable (https://bugzilla.samba.org/show_bug.cgi?id=12773)
> >>>  * Machine password change does not work on a RODC
> >>>    (https://bugzilla.samba.org/show_bug.cgi?id=12774)
> >>>
> >> I don't believe these issues were fully resolved. Password
changes
> >> are write operations and there is normally a forwarding routine
> >> that passes them to a writable domain controller (which we have
> >> yet to implement). There might be some paths that work, but we
> >> haven't got any tests of this.
> >>
> >> There haven't been any improvements in this area since 4.7, as
far
> >> as I know.
> >>
> >> Cheers,
> >>
> >> Garming
> >>
> > When 4.7.0 came out, there was this amongst the release notes:
> >
> > Improved Read-Only Domain Controller (RODC) Support
> >
> > Support for RODCs in Samba AD until now has been experimental. With
> > this latest version, many of the critical bugs have been fixed and
> > the RODC can be used in DC environments requiring no writable
> > behaviour. 
> >
> > This seems to suggest that using an RODC is no longer experimental
> > and can be using in production.
> >
> > However, if there isn't the structure in place to forward all
write
> > operations to an RWDC, then how can it be used in production ?
> 
> As far as I remember, change passwords initiated by machines shouldn't
> have unjoined the domain (but passwords could fail to rotate). Most of
> the write operations just come across as LDAP referrals, so it's
> generally the client's job to redirect themselves to someone writable.
> Most write RPC calls are blocked but changing a password over RPC was
> a special case I don't think we actually understood until after the
> notes were written.
> 
> Cheers,
> 
> Garming
> 
> >
> > Rowland
> >  
> >
This isn't just about passwords, its very name gives it away, nothing
is written to AD by an RODC, anything that does need writing to AD must
be sent to an RWDC and then replicated back. This means that
samba_dnsupdate will not work with an RODC, it needs to send the
requests to another DC, but seemingly it isn't happening.

In my opinion, we need to mark RODC's as experimental until there is
code in place to pass all write operations from an RODC to an RWDC.

Rowland

> As far as I remember, change passwords initiated by machines shouldn't
> have unjoined the domain (but passwords could fail to rotate). Most of
> the write operations just come across as LDAP referrals, so it's
> generally the client's job to redirect themselves to someone writable.
> Most write RPC calls are blocked but changing a password over RPC was a
> special case I don't think we actually understood until after the notes
> were written.

How can I check how the password change is being done (whether LDAP 
referral or RPC) ?

If we are doing it by RPC, shouldn't we see another type of error 
(because it's blocked) ?


For what it's worth: We've verified that forcing an update of the hashes
on the RODC after password change did not prevent the error.




Le 23/10/2018 à 22:45, Garming Sam via samba a écrit :
> On 23/10/18 9:48 PM, Rowland Penny via samba wrote:
>> On Tue, 23 Oct 2018 10:07:29 +1300
>> Garming Sam via samba <samba at lists.samba.org> wrote:
>>
>>> Hi,
>>>
>>> On 20/10/18 1:26 AM, Julien Ropé via samba wrote:
>>>>   The deployment works, and computers seems to interact with
the
>>>> RODCs as they should, but sometimes computers leave the domain
>>>> after a password change.
>>>>
>>>>   This seems to happen only on RODC where the passwords have
been
>>>> replicated - on one occasion the RODC was not set to store
password
>>>> hashes, and computers connected to this RODC don't seem to
have
>>>> issues.
>>>>
>>>>   This seems like limitations related to the password
management for
>>>> RODC.Looking at the release notes for later versions (minor and
>>>> major releases, up to 4.9), I don't see any mention of
those
>>>> limitations being fixed.
>>>>
>>>>   Could it be related to our observations? Are they still
relevant
>>>> in 4.9?
>>>>
>>>>
>>>>   I've also found a couple tickets that could be related to
the same.
>>>> They are dated from before 4.7 release, but they've not
been updated
>>>> since then, so I don't know if they still apply to current
versions:
>>>>
>>>>   * RODC password sync for members of the "allowed rodc
replication
>>>>     group" is not working
>>>> (https://bugzilla.samba.org/show_bug.cgi?id=12771)
>>> Just marked this bug as fixed (in 4.7).
>>>
>>>>   * Computer password change failure makes local secrets.tdb
non
>>>> usable (https://bugzilla.samba.org/show_bug.cgi?id=12773)
>>>>   * Machine password change does not work on a RODC
>>>>     (https://bugzilla.samba.org/show_bug.cgi?id=12774)
>>>>
>>> I don't believe these issues were fully resolved. Password
changes are
>>> write operations and there is normally a forwarding routine that
>>> passes them to a writable domain controller (which we have yet to
>>> implement). There might be some paths that work, but we haven't
got
>>> any tests of this.
>>>
>>> There haven't been any improvements in this area since 4.7, as
far as
>>> I know.
>>>
>>> Cheers,
>>>
>>> Garming
>>>
>> When 4.7.0 came out, there was this amongst the release notes:
>>
>> Improved Read-Only Domain Controller (RODC) Support
>>
>> Support for RODCs in Samba AD until now has been experimental. With
>> this latest version, many of the critical bugs have been fixed and the
>> RODC can be used in DC environments requiring no writable behaviour.
>>
>> This seems to suggest that using an RODC is no longer experimental and
>> can be using in production.
>>
>> However, if there isn't the structure in place to forward all write
>> operations to an RWDC, then how can it be used in production ?
> As far as I remember, change passwords initiated by machines shouldn't
> have unjoined the domain (but passwords could fail to rotate). Most of
> the write operations just come across as LDAP referrals, so it's
> generally the client's job to redirect themselves to someone writable.
> Most write RPC calls are blocked but changing a password over RPC was a
> special case I don't think we actually understood until after the notes
> were written.
>
> Cheers,
>
> Garming
>
>> Rowland
>>   
>>
--
Message envoyé grâce à OBM, la Communication Libre par Linagora