I'm currently working on the RODC, and here are some of the patches I've
got so far. There's three major issues that these patches deal with:
1) The ability to add and delete objects on the RODC. While these
objects are never replicated back, they will almost certainly cause
2) Password lockouts on the RODC were previously blocked by
modification of the replicated attribute lockoutTime (which necessarily
caused a referral).
3) RODC never seemed to receive push-replication from its
replication partner (DNS records were suspect, and UpdateRefs was never
called in join.py).
Also included is removal of a non-necessary (but almost always acquired)
LDB transaction during GetNCChanges which could have caused issues, a
change to the LDAP referral string to point to the PDC, and some tests
to prove the behaviour of referrals.
I'm currently still working on making RODC password forwarding more
reliable and more complete (various bugs in winbindd and libads). The
remaining issues are (which are in various states of completion):
- Failed (NTLM) logins do not fail over to a RWDC if the password
exists on the RODC
- NTLM password forwarding is functional, but unreliable because it
can contact another RODC (or itself)
- Bad password count is neither forwarded, nor reset on a RWDC
(preferably the PDC) to cause domain-wide lockout
- Automatic preloading of users does not work when using Kerberos
As it is though, the patches thus far should be effectively complete and
can be integrated into master. Any thoughts or ideas are welcome.
The next set of RODC patches I am working on resolve most of the
remaining RODC issues I have outlined. The patches make the RODC
actually properly get a RWDC connection in winbindd. There are still
some edge cases where the RODC may reuse old read-only connections, so
that still is yet to be completely resolved.
The patches allow forwarding of wrong password to a RWDC -- directly
forwarding which allows for success in NTLM, while using dummy password
fields for Kerberos. Local successes can now be forwarded to the RWDC to
unlock the account across the domain using ResetBadPasswordCount in
SendToSam (MS-SAMS). The client side code appears to work correctly
against Windows. The server implementation of the reset bad password
count in Samba is currently missing an access check to ensure only RODC
cached accounts are modified. Otherwise, it all appears to be functional
(albeit without any written tests).
Any comments welcome. I'll be working on some tests to prove that the
resets actually work.
> On 05/04/17 12:26, Garming Sam wrote:
>> 2) Password lockouts on the RODC were previously blocked by
>> modification of the replicated attribute lockoutTime (which necessarily
>> caused a referral).
> I've now allowed some password lockout tests to run against the RODC
> (where the secrets exist on the RODC). The tests fail and then pass at
> the expected points during the patches.