Adam Minski
2019-Mar-29 09:44 UTC
[Samba] Is RODC password replication different from the windows version by design or is it a bug?
On 03/29/2019 10:37 AM, Andrew Bartlett wrote:> On Fri, 2019-03-29 at 10:16 +0100, Adam Minski via samba wrote: >> >> On 03/28/2019 05:32 PM, Rowland Penny via samba wrote: >> >> [...] >> >>>> Should the samba RDOC act like the windows version or is it different >>>> by design? >>>> >>> >>> Yes it should and there is a bug report for something similar already, >>> see here: https://bugzilla.samba.org/show_bug.cgi?id=13377 >>> >>> I know that is for members of the denied group, but the substance is >>> the same, users are not getting authenticated on a RODC from a RWDC. >>> >>> Can you please add to that bug report ? >>> >>> Rowland >>> >>> >> >> Thanks Rowland, that's exactly the topic. Garming Sam has commented it >> yesterday, the issue is that kerberos forwarding isn't implemented for >> now. That is exactly what wee seeing, authentication works __after__ >> (from the second attempt on) the initial password sync is done, the >> first attempt isn't proxied. > > It should work, as long as you are using the internal Heimdal KDC, and > I thought we even had tests for that. The KDC propagates up a special > error code to the processing layer to say 'please proxy this packet to > a full DC' to trigger thatWe use the internal Heimdal KDC, and it doesn't work, at least for version 4.9.4. Is there any stuff I can test? Or can you give me an entry point to the code? Thanks. Adam> > There are other things we don't fully implement (like forwarding bad > passwords, we do that by sending a bad NTLM password, not a Kerberos > one), but this much should work... > > Andrew Bartlett >
Andrew Bartlett
2019-Mar-29 09:54 UTC
[Samba] Is RODC password replication different from the windows version by design or is it a bug?
On Fri, 2019-03-29 at 10:44 +0100, Adam Minski wrote:> > On 03/29/2019 10:37 AM, Andrew Bartlett wrote: > > On Fri, 2019-03-29 at 10:16 +0100, Adam Minski via samba wrote: > > > On 03/28/2019 05:32 PM, Rowland Penny via samba wrote: > > > > > > [...] > > > > > > > > Should the samba RDOC act like the windows version or is it different > > > > > by design? > > > > > > > > > > > > > Yes it should and there is a bug report for something similar already, > > > > see here: https://bugzilla.samba.org/show_bug.cgi?id=13377 > > > > > > > > I know that is for members of the denied group, but the substance is > > > > the same, users are not getting authenticated on a RODC from a RWDC. > > > > > > > > Can you please add to that bug report ? > > > > > > > > Rowland > > > > > > > > > > > > > > Thanks Rowland, that's exactly the topic. Garming Sam has commented it > > > yesterday, the issue is that kerberos forwarding isn't implemented for > > > now. That is exactly what wee seeing, authentication works __after__ > > > (from the second attempt on) the initial password sync is done, the > > > first attempt isn't proxied. > > > > It should work, as long as you are using the internal Heimdal KDC, and > > I thought we even had tests for that. The KDC propagates up a special > > error code to the processing layer to say 'please proxy this packet to > > a full DC' to trigger that > > We use the internal Heimdal KDC, and it doesn't work, at least for > version 4.9.4. Is there any stuff I can test? Or can you give me an > entry point to the code? Thanks.Have a look in source4/kdc/kdc-heimdal.c and source4/kdc/kdc-process.c for how it gets the error HDB_NOT_FOUND_HERE and turns that into KDC_PROXY_REQUEST, which triggers sending it off to another DC. A packet trace should be your first task to confirm nothing is being sent on the any DC. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Adam Minski
2019-Mar-29 11:58 UTC
[Samba] Is RODC password replication different from the windows version by design or is it a bug?
On 03/29/2019 10:54 AM, Andrew Bartlett wrote:> On Fri, 2019-03-29 at 10:44 +0100, Adam Minski wrote: >> >> On 03/29/2019 10:37 AM, Andrew Bartlett wrote: >>> On Fri, 2019-03-29 at 10:16 +0100, Adam Minski via samba wrote: >>>> On 03/28/2019 05:32 PM, Rowland Penny via samba wrote: >>>> >>>> [...] >>>> >>>>>> Should the samba RDOC act like the windows version or is it different >>>>>> by design? >>>>>> >>>>> >>>>> Yes it should and there is a bug report for something similar already, >>>>> see here: https://bugzilla.samba.org/show_bug.cgi?id=13377 >>>>> >>>>> I know that is for members of the denied group, but the substance is >>>>> the same, users are not getting authenticated on a RODC from a RWDC. >>>>> >>>>> Can you please add to that bug report ? >>>>> >>>>> Rowland >>>>> >>>>> >>>> >>>> Thanks Rowland, that's exactly the topic. Garming Sam has commented it >>>> yesterday, the issue is that kerberos forwarding isn't implemented for >>>> now. That is exactly what wee seeing, authentication works __after__ >>>> (from the second attempt on) the initial password sync is done, the >>>> first attempt isn't proxied. >>> >>> It should work, as long as you are using the internal Heimdal KDC, and >>> I thought we even had tests for that. The KDC propagates up a special >>> error code to the processing layer to say 'please proxy this packet to >>> a full DC' to trigger that >> >> We use the internal Heimdal KDC, and it doesn't work, at least for >> version 4.9.4. Is there any stuff I can test? Or can you give me an >> entry point to the code? Thanks. > > Have a look in source4/kdc/kdc-heimdal.c and source4/kdc/kdc-process.c > for how it gets the error HDB_NOT_FOUND_HERE and turns that into > KDC_PROXY_REQUEST, which triggers sending it off to another DC. > > A packet trace should be your first task to confirm nothing is being > sent on the any DC. > > Andrew Bartlett >Well, my fault. The client isn't trying Kerberos, it's trying LDAP simple binds, which works using MS RODCs, but not for Samba RODCs. Sorry for that. Adam
Reasonably Related Threads
- Is RODC password replication different from the windows version by design or is it a bug?
- Is RODC password replication different from the windows version by design or is it a bug?
- Is RODC password replication different from the windows version by design or is it a bug?
- Is RODC password replication different from the windows version by design or is it a bug?
- Is RODC password replication different from the windows version by design or is it a bug?