Adam Minski
2019-Mar-29 11:58 UTC
[Samba] Is RODC password replication different from the windows version by design or is it a bug?
On 03/29/2019 10:54 AM, Andrew Bartlett wrote:> On Fri, 2019-03-29 at 10:44 +0100, Adam Minski wrote: >> >> On 03/29/2019 10:37 AM, Andrew Bartlett wrote: >>> On Fri, 2019-03-29 at 10:16 +0100, Adam Minski via samba wrote: >>>> On 03/28/2019 05:32 PM, Rowland Penny via samba wrote: >>>> >>>> [...] >>>> >>>>>> Should the samba RDOC act like the windows version or is it different >>>>>> by design? >>>>>> >>>>> >>>>> Yes it should and there is a bug report for something similar already, >>>>> see here: https://bugzilla.samba.org/show_bug.cgi?id=13377 >>>>> >>>>> I know that is for members of the denied group, but the substance is >>>>> the same, users are not getting authenticated on a RODC from a RWDC. >>>>> >>>>> Can you please add to that bug report ? >>>>> >>>>> Rowland >>>>> >>>>> >>>> >>>> Thanks Rowland, that's exactly the topic. Garming Sam has commented it >>>> yesterday, the issue is that kerberos forwarding isn't implemented for >>>> now. That is exactly what wee seeing, authentication works __after__ >>>> (from the second attempt on) the initial password sync is done, the >>>> first attempt isn't proxied. >>> >>> It should work, as long as you are using the internal Heimdal KDC, and >>> I thought we even had tests for that. The KDC propagates up a special >>> error code to the processing layer to say 'please proxy this packet to >>> a full DC' to trigger that >> >> We use the internal Heimdal KDC, and it doesn't work, at least for >> version 4.9.4. Is there any stuff I can test? Or can you give me an >> entry point to the code? Thanks. > > Have a look in source4/kdc/kdc-heimdal.c and source4/kdc/kdc-process.c > for how it gets the error HDB_NOT_FOUND_HERE and turns that into > KDC_PROXY_REQUEST, which triggers sending it off to another DC. > > A packet trace should be your first task to confirm nothing is being > sent on the any DC. > > Andrew Bartlett >Well, my fault. The client isn't trying Kerberos, it's trying LDAP simple binds, which works using MS RODCs, but not for Samba RODCs. Sorry for that. Adam
Adam Minski
2019-Apr-01 06:37 UTC
[Samba] Is RODC password replication different from the windows version by design or is it a bug?
On 03/29/2019 12:58 PM, Adam Minski wrote:> > > On 03/29/2019 10:54 AM, Andrew Bartlett wrote: >> On Fri, 2019-03-29 at 10:44 +0100, Adam Minski wrote: >>> >>> On 03/29/2019 10:37 AM, Andrew Bartlett wrote: >>>> On Fri, 2019-03-29 at 10:16 +0100, Adam Minski via samba wrote: >>>>> On 03/28/2019 05:32 PM, Rowland Penny via samba wrote: >>>>> >>>>> [...] >>>>> >>>>>>> Should the samba RDOC act like the windows version or is it >>>>>>> different >>>>>>> by design? >>>>>>> >>>>>> >>>>>> Yes it should and there is a bug report for something similar >>>>>> already, >>>>>> see here: https://bugzilla.samba.org/show_bug.cgi?id=13377 >>>>>> >>>>>> I know that is for members of the denied group, but the substance is >>>>>> the same, users are not getting authenticated on a RODC from a RWDC. >>>>>> >>>>>> Can you please add to that bug report ? >>>>>> >>>>>> Rowland >>>>>> >>>>>> >>>>> >>>>> Thanks Rowland, that's exactly the topic. Garming Sam has commented it >>>>> yesterday, the issue is that kerberos forwarding isn't implemented for >>>>> now. That is exactly what wee seeing, authentication works __after__ >>>>> (from the second attempt on) the initial password sync is done, the >>>>> first attempt isn't proxied. >>>> >>>> It should work, as long as you are using the internal Heimdal KDC, and >>>> I thought we even had tests for that. The KDC propagates up a special >>>> error code to the processing layer to say 'please proxy this packet to >>>> a full DC' to trigger that >>> >>> We use the internal Heimdal KDC, and it doesn't work, at least for >>> version 4.9.4. Is there any stuff I can test? Or can you give me an >>> entry point to the code? Thanks. >> >> Have a look in source4/kdc/kdc-heimdal.c and source4/kdc/kdc-process.c >> for how it gets the error HDB_NOT_FOUND_HERE and turns that into >> KDC_PROXY_REQUEST, which triggers sending it off to another DC. >> >> A packet trace should be your first task to confirm nothing is being >> sent on the any DC. >> >> Andrew Bartlett >> > > > Well, my fault. The client isn't trying Kerberos, it's trying LDAP > simple binds, which works using MS RODCs, but not for Samba RODCs. > > Sorry for that. > AdamI can confirm that for samba-4.9.4 using the internal Heimdal KDC Kerberos proxying works, simple bind proxying not. Should the latter work? If not, are there plans for supporting that and what is the time line? If support for proxying simple binds is not there yet but experimental code is ongoing, it would be great if I could include it into my builds. Thanks Adam
Andrew Bartlett
2019-Apr-01 07:38 UTC
[Samba] Is RODC password replication different from the windows version by design or is it a bug?
On Mon, 2019-04-01 at 08:37 +0200, Adam Minski wrote:> > On 03/29/2019 12:58 PM, Adam Minski wrote: > > > > On 03/29/2019 10:54 AM, Andrew Bartlett wrote: > > > On Fri, 2019-03-29 at 10:44 +0100, Adam Minski wrote: > > > > On 03/29/2019 10:37 AM, Andrew Bartlett wrote: > > > > > On Fri, 2019-03-29 at 10:16 +0100, Adam Minski via samba wrote: > > > > > > On 03/28/2019 05:32 PM, Rowland Penny via samba wrote: > > > > > > > > > > > > [...] > > > > > > > > > > > > > > Should the samba RDOC act like the windows version or is it > > > > > > > > different > > > > > > > > by design? > > > > > > > > > > > > > > > > > > > > > > Yes it should and there is a bug report for something similar > > > > > > > already, > > > > > > > see here: https://bugzilla.samba.org/show_bug.cgi?id=13377 > > > > > > > > > > > > > > I know that is for members of the denied group, but the substance is > > > > > > > the same, users are not getting authenticated on a RODC from a RWDC. > > > > > > > > > > > > > > Can you please add to that bug report ? > > > > > > > > > > > > > > Rowland > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks Rowland, that's exactly the topic. Garming Sam has commented it > > > > > > yesterday, the issue is that kerberos forwarding isn't implemented for > > > > > > now. That is exactly what wee seeing, authentication works __after__ > > > > > > (from the second attempt on) the initial password sync is done, the > > > > > > first attempt isn't proxied. > > > > > > > > > > It should work, as long as you are using the internal Heimdal KDC, and > > > > > I thought we even had tests for that. The KDC propagates up a special > > > > > error code to the processing layer to say 'please proxy this packet to > > > > > a full DC' to trigger that > > > > > > > > We use the internal Heimdal KDC, and it doesn't work, at least for > > > > version 4.9.4. Is there any stuff I can test? Or can you give me an > > > > entry point to the code? Thanks. > > > > > > Have a look in source4/kdc/kdc-heimdal.c and source4/kdc/kdc-process.c > > > for how it gets the error HDB_NOT_FOUND_HERE and turns that into > > > KDC_PROXY_REQUEST, which triggers sending it off to another DC. > > > > > > A packet trace should be your first task to confirm nothing is being > > > sent on the any DC. > > > > > > Andrew Bartlett > > > > > > > Well, my fault. The client isn't trying Kerberos, it's trying LDAP > > simple binds, which works using MS RODCs, but not for Samba RODCs. > > > > Sorry for that. > > Adam > > I can confirm that for samba-4.9.4 using the internal Heimdal KDC > Kerberos proxying works, simple bind proxying not. Should the latter > work? If not, are there plans for supporting that and what is the time > line? If support for proxying simple binds is not there yet but > experimental code is ongoing, it would be great if I could include it > into my builds.Its just a bug, I expect there will be a fix soon. In terms of 'experimental code' the best way to help test Samba's new features is to run git master and give us feedback or at least to run our release candidates. While we hesitate to suggest running unreleased code in production, sadly these are so rarely used in production-like environments that we get supprises like this when releases come out. We do write extensive tests Samba's features, particularly when new features are added or bugs are fixed, but the biggest challenges are in the 'unknown unknowns', areas we didn't know were not tested. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Maybe Matching Threads
- Is RODC password replication different from the windows version by design or is it a bug?
- Is RODC password replication different from the windows version by design or is it a bug?
- Is RODC password replication different from the windows version by design or is it a bug?
- Is RODC password replication different from the windows version by design or is it a bug?
- Issues with RODC