samba - Mar 2019 - Is RODC password replication different from the windows version by design or is it a bug?

On 03/29/2019 10:37 AM, Andrew Bartlett wrote:
> On Fri, 2019-03-29 at 10:16 +0100, Adam Minski via samba wrote:
>>
>> On 03/28/2019 05:32 PM, Rowland Penny via samba wrote:
>>
>> [...]
>>
>>>> Should the samba RDOC act like the windows version or is it
different
>>>> by design?
>>>>
>>>
>>> Yes it should and there is a bug report for something similar
already,
>>> see here: https://bugzilla.samba.org/show_bug.cgi?id=13377
>>>
>>> I know that is for members of the denied group, but the substance
is
>>> the same, users are not getting authenticated on a RODC from a
RWDC.
>>>
>>> Can you please add to that bug report ?
>>>
>>> Rowland
>>>
>>>
>>
>> Thanks Rowland, that's exactly the topic. Garming Sam has commented
it
>> yesterday, the issue is that kerberos forwarding isn't implemented
for
>> now. That is exactly what wee seeing, authentication works __after__
>> (from the second attempt on) the initial password sync is done, the
>> first attempt isn't proxied.
> 
> It should work, as long as you are using the internal Heimdal KDC, and
> I thought we even had tests for that.  The KDC propagates up a special
> error code to the processing layer to say 'please proxy this packet to
> a full DC' to trigger that
We use the internal Heimdal KDC, and it doesn't work, at least for 
version 4.9.4. Is there any stuff I can test? Or can you give me an 
entry point to the code? Thanks.

Adam
> 
> There are other things we don't fully implement (like forwarding bad
> passwords, we do that by sending a bad NTLM password, not a Kerberos
> one), but this much should work...
> 
> Andrew Bartlett
>

On Fri, 2019-03-29 at 10:44 +0100, Adam Minski wrote:
> 
> On 03/29/2019 10:37 AM, Andrew Bartlett wrote:
> > On Fri, 2019-03-29 at 10:16 +0100, Adam Minski via samba wrote:
> > > On 03/28/2019 05:32 PM, Rowland Penny via samba wrote:
> > > 
> > > [...]
> > > 
> > > > > Should the samba RDOC act like the windows version or
is it different
> > > > > by design?
> > > > > 
> > > > 
> > > > Yes it should and there is a bug report for something
similar already,
> > > > see here: https://bugzilla.samba.org/show_bug.cgi?id=13377
> > > > 
> > > > I know that is for members of the denied group, but the
substance is
> > > > the same, users are not getting authenticated on a RODC from
a RWDC.
> > > > 
> > > > Can you please add to that bug report ?
> > > > 
> > > > Rowland
> > > > 
> > > > 
> > > 
> > > Thanks Rowland, that's exactly the topic. Garming Sam has
commented it
> > > yesterday, the issue is that kerberos forwarding isn't
implemented for
> > > now. That is exactly what wee seeing, authentication works
__after__
> > > (from the second attempt on) the initial password sync is done,
the
> > > first attempt isn't proxied.
> > 
> > It should work, as long as you are using the internal Heimdal KDC, and
> > I thought we even had tests for that.  The KDC propagates up a special
> > error code to the processing layer to say 'please proxy this
packet to
> > a full DC' to trigger that
> 
> We use the internal Heimdal KDC, and it doesn't work, at least for 
> version 4.9.4. Is there any stuff I can test? Or can you give me an 
> entry point to the code? Thanks.
Have a look in source4/kdc/kdc-heimdal.c and source4/kdc/kdc-process.c
for how it gets the error HDB_NOT_FOUND_HERE and turns that into
KDC_PROXY_REQUEST, which triggers sending it off to another DC.  

A packet trace should be your first task to confirm nothing is being
sent on the any DC.

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

On 03/29/2019 10:54 AM, Andrew Bartlett wrote:
> On Fri, 2019-03-29 at 10:44 +0100, Adam Minski wrote:
>>
>> On 03/29/2019 10:37 AM, Andrew Bartlett wrote:
>>> On Fri, 2019-03-29 at 10:16 +0100, Adam Minski via samba wrote:
>>>> On 03/28/2019 05:32 PM, Rowland Penny via samba wrote:
>>>>
>>>> [...]
>>>>
>>>>>> Should the samba RDOC act like the windows version or
is it different
>>>>>> by design?
>>>>>>
>>>>>
>>>>> Yes it should and there is a bug report for something
similar already,
>>>>> see here: https://bugzilla.samba.org/show_bug.cgi?id=13377
>>>>>
>>>>> I know that is for members of the denied group, but the
substance is
>>>>> the same, users are not getting authenticated on a RODC
from a RWDC.
>>>>>
>>>>> Can you please add to that bug report ?
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>>
>>>> Thanks Rowland, that's exactly the topic. Garming Sam has
commented it
>>>> yesterday, the issue is that kerberos forwarding isn't
implemented for
>>>> now. That is exactly what wee seeing, authentication works
__after__
>>>> (from the second attempt on) the initial password sync is done,
the
>>>> first attempt isn't proxied.
>>>
>>> It should work, as long as you are using the internal Heimdal KDC,
and
>>> I thought we even had tests for that.  The KDC propagates up a
special
>>> error code to the processing layer to say 'please proxy this
packet to
>>> a full DC' to trigger that
>>
>> We use the internal Heimdal KDC, and it doesn't work, at least for
>> version 4.9.4. Is there any stuff I can test? Or can you give me an
>> entry point to the code? Thanks.
> 
> Have a look in source4/kdc/kdc-heimdal.c and source4/kdc/kdc-process.c
> for how it gets the error HDB_NOT_FOUND_HERE and turns that into
> KDC_PROXY_REQUEST, which triggers sending it off to another DC.
> 
> A packet trace should be your first task to confirm nothing is being
> sent on the any DC.
> 
> Andrew Bartlett
> 

Well, my fault. The client isn't trying Kerberos, it's trying LDAP 
simple binds, which works using MS RODCs, but not for Samba RODCs.

Sorry for that.
Adam