thr3ads.net - samba - [Samba] Issues with trust_pw

If this information is useful, please help other people find it:
Share via:

Orion Poplawski

2022-Oct-17 16:29 UTC

[Samba] Issues with trust_pw_change and RODC

We have three offices/sties each with a RWDC, with two of them with a RODC as
well.  We are seeing issues when a samba domain member tries to update it's
trust password and it uses one of th RODCs instead of a RWDC.  e.g.:

Oct 11 08:13:06 samba winbindd[1109]: [2022/10/11 08:13:06.047177,  0]
../../source3/libs
mb/trusts_util.c:381(trust_pw_change)
Oct 11 08:13:06 samba winbindd[1109]:   2022/10/11 08:13:06 :
trust_pw_change(NWRA): Verifying passwords remotely
netlogon_creds_cli:CLI[SAMBA/SAMBA$]/SRV[RODC/NWRA].
Oct 11 08:13:06 samba winbindd[1109]: [2022/10/11 08:13:06.058971,  0]
../../source3/libsmb/trusts_util.c:453(trust_pw_change)
Oct 11 08:13:06 samba winbindd[1109]:   2022/10/11 08:13:06 :
trust_pw_change(NWRA): Verified old password remotely using
netlogon_creds_cli:CLI[SAMBA/SAMBA$]/SRV[RODC/NWRA]
Oct 11 08:13:06 samba winbindd[1109]: [2022/10/11 08:13:06.059054,  0]
../../source3/libsmb/trusts_util.c:492(trust_pw_change)
Oct 11 08:13:06 samba winbindd[1109]:   2022/10/11 08:13:06 :
trust_pw_change(NWRA): Changed password locally
Oct 11 08:13:06 samba winbindd[1109]: [2022/10/11 08:13:06.099331,  0]
../../source3/libsmb/trusts_util.c:546(trust_pw_change)
Oct 11 08:13:06 samba winbindd[1109]:   2022/10/11 08:13:06 :
trust_pw_change(NWRA): Changed password remotely using
netlogon_creds_cli:CLI[SAMBA/SAMBA$]/SRV[RODC/NWRA]
Oct 11 08:13:06 samba winbindd[1109]: [2022/10/11 08:13:06.115267,  0]
../../source3/libsmb/trusts_util.c:565(trust_pw_change)
Oct 11 08:13:06 samba winbindd[1109]:   2022/10/11 08:13:06 :
trust_pw_change(NWRA): Finished password change.
Oct 11 08:13:06 samba winbindd[1109]: [2022/10/11 08:13:06.119393,  0]
../../source3/libsmb/trusts_util.c:611(trust_pw_change)
Oct 11 08:13:06 samba winbindd[1109]:
netlogon_creds_cli_auth(netlogon_creds_cli:CLI[SAMBA/SAMBA$]/SRV[RODC/NWRA])
failed for new password - NT_STATUS_ACCESS_DENIED!

Do I need to point samba only to the RWDCs somehow?  Or configure my RODCs
differently?  Or ?

Thanks!

Orion
-- 
Orion Poplawski
IT Systems Manager                         720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                 https://www.nwra.com/

Andrew Bartlett

2022-Oct-18 03:50 UTC

head link

[Samba] Issues with trust_pw_change and RODC

Which version of Samba is this?

See?https://www.youtube.com/watch?v=jAjTeczxMX8?for a full description
of what is required to change a trust password on an RODC.

If you are running an older Samba version, you may have hit one of the
many issues that Metze describes having to work around.

Andrew Bartlett

On Mon, 2022-10-17 at 10:29 -0600, Orion Poplawski via samba
wrote:> We have three offices/sties each with a RWDC, with two of them with a RODC
as
> well.  We are seeing issues when a samba domain member tries to update
it's
> trust password and it uses one of th RODCs instead of a RWDC.  e.g.:
> 
> Oct 11 08:13:06 samba winbindd[1109]: [2022/10/11 08:13:06.047177,  0]
> ../../source3/libs
> mb/trusts_util.c:381(trust_pw_change)
> Oct 11 08:13:06 samba winbindd[1109]:   2022/10/11 08:13:06 :
> trust_pw_change(NWRA): Verifying passwords remotely
> netlogon_creds_cli:CLI[SAMBA/SAMBA$]/SRV[RODC/NWRA].
> Oct 11 08:13:06 samba winbindd[1109]: [2022/10/11 08:13:06.058971,  0]
> ../../source3/libsmb/trusts_util.c:453(trust_pw_change)
> Oct 11 08:13:06 samba winbindd[1109]:   2022/10/11 08:13:06 :
> trust_pw_change(NWRA): Verified old password remotely using
> netlogon_creds_cli:CLI[SAMBA/SAMBA$]/SRV[RODC/NWRA]
> Oct 11 08:13:06 samba winbindd[1109]: [2022/10/11 08:13:06.059054,  0]
> ../../source3/libsmb/trusts_util.c:492(trust_pw_change)
> Oct 11 08:13:06 samba winbindd[1109]:   2022/10/11 08:13:06 :
> trust_pw_change(NWRA): Changed password locally
> Oct 11 08:13:06 samba winbindd[1109]: [2022/10/11 08:13:06.099331,  0]
> ../../source3/libsmb/trusts_util.c:546(trust_pw_change)
> Oct 11 08:13:06 samba winbindd[1109]:   2022/10/11 08:13:06 :
> trust_pw_change(NWRA): Changed password remotely using
> netlogon_creds_cli:CLI[SAMBA/SAMBA$]/SRV[RODC/NWRA]
> Oct 11 08:13:06 samba winbindd[1109]: [2022/10/11 08:13:06.115267,  0]
> ../../source3/libsmb/trusts_util.c:565(trust_pw_change)
> Oct 11 08:13:06 samba winbindd[1109]:   2022/10/11 08:13:06 :
> trust_pw_change(NWRA): Finished password change.
> Oct 11 08:13:06 samba winbindd[1109]: [2022/10/11 08:13:06.119393,  0]
> ../../source3/libsmb/trusts_util.c:611(trust_pw_change)
> Oct 11 08:13:06 samba winbindd[1109]:
>
netlogon_creds_cli_auth(netlogon_creds_cli:CLI[SAMBA/SAMBA$]/SRV[RODC/NWRA])
> failed for new password - NT_STATUS_ACCESS_DENIED!
> 
> Do I need to point samba only to the RWDCs somehow?  Or configure my RODCs
> differently?  Or ?
> 
> Thanks!
> 
> Orion
-- 
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba

samba - Oct 2022 - Issues with trust_pw_change and RODC

[Samba] Issues with trust_pw_change and RODC

[Samba] Issues with trust_pw_change and RODC