[PATCH] Some fixes for Samba RODC

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[PATCH] Some fixes for Samba RODC

Samba - samba-technical mailing list
Hi,

I'm currently working on the RODC, and here are some of the patches I've
got so far. There's three major issues that these patches deal with:

    1) The ability to add and delete objects on the RODC. While these
objects are never replicated back, they will almost certainly cause
replication issues.

    2) Password lockouts on the RODC were previously blocked by
modification of the replicated attribute lockoutTime (which necessarily
caused a referral).

    3) RODC never seemed to receive push-replication from its
replication partner (DNS records were suspect, and UpdateRefs was never
called in join.py).

Also included is removal of a non-necessary (but almost always acquired)
LDB transaction during GetNCChanges which could have caused issues, a
change to the LDAP referral string to point to the PDC, and some tests
to prove the behaviour of referrals.


I'm currently still working on making RODC password forwarding more
reliable and more complete (various bugs in winbindd and libads). The
remaining issues are (which are in various states of completion):

    - Failed (NTLM) logins do not fail over to a RWDC if the password
exists on the RODC

    - NTLM password forwarding is functional, but unreliable because it
can contact another RODC (or itself)

    - Bad password count is neither forwarded, nor reset on a RWDC
(preferably the PDC) to cause domain-wide lockout

    - Automatic preloading of users does not work when using Kerberos


As it is though, the patches thus far should be effectively complete and
can be integrated into master. Any thoughts or ideas are welcome.


Cheers,

Garming


rodc.patch (67K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] Some fixes for Samba RODC

Samba - samba-technical mailing list
On 05/04/17 12:26, Garming Sam wrote:
> 2) Password lockouts on the RODC were previously blocked by
> modification of the replicated attribute lockoutTime (which necessarily
> caused a referral).

I've now allowed some password lockout tests to run against the RODC
(where the secrets exist on the RODC). The tests fail and then pass at
the expected points during the patches.


Cheers,

Garming

rodc.patch (379K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[WIP] Re: [PATCH] Some fixes for Samba RODC

Samba - samba-technical mailing list
Hi,

The next set of RODC patches I am working on resolve most of the
remaining RODC issues I have outlined. The patches make the RODC
actually properly get a RWDC connection in winbindd. There are still
some edge cases where the RODC may reuse old read-only connections, so
that still is yet to be completely resolved.

The patches allow forwarding of wrong password to a RWDC -- directly
forwarding which allows for success in NTLM, while using dummy password
fields for Kerberos. Local successes can now be forwarded to the RWDC to
unlock the account across the domain using ResetBadPasswordCount in
SendToSam (MS-SAMS). The client side code appears to work correctly
against Windows. The server implementation of the reset bad password
count in Samba is currently missing an access check to ensure only RODC
cached accounts are modified. Otherwise, it all appears to be functional
(albeit without any written tests).

Any comments welcome. I'll be working on some tests to prove that the
resets actually work.

git://git.catalyst.net.nz/samba.git        garming-rodc-wip

http://git.catalyst.net.nz/gitweb?p=samba.git;a=shortlog;h=refs/heads/garming-rodc-wip



Cheers,

Garming

On 10/04/17 11:40, Garming Sam wrote:

> On 05/04/17 12:26, Garming Sam wrote:
>> 2) Password lockouts on the RODC were previously blocked by
>> modification of the replicated attribute lockoutTime (which necessarily
>> caused a referral).
> I've now allowed some password lockout tests to run against the RODC
> (where the secrets exist on the RODC). The tests fail and then pass at
> the expected points during the patches.
>
>
> Cheers,
>
> Garming


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [WIP] Re: [PATCH] Some fixes for Samba RODC

Samba - samba-technical mailing list
Tests are now added to ensure that a RWDC receives bad passwords and
resets. SID checks are now in place for SendToSam, and there is a small
test to prove that a locally cached user not present in the RODC reveal
group cannot get their badPwdCount reset to 0.

Apart from some tidy up, this implements nearly everything I was
planning. The only caveat are the unlikely winbind edge cases where it
may fail to contact a RWDC after a dropped connection. However, as
required by the testing, there is a workaround using the 'password
server' attribute in the smb.conf file to force a particularly list of
servers. Hopefully I will get some time and advice to get that done, but
even with this workaround Samba RODC is now much more reliable and
reasonably feature complete.


Cheers,

Garming


On 18/04/17 17:03, Garming Sam wrote:
> git://git.catalyst.net.nz/samba.git        garming-rodc-wip
>
> http://git.catalyst.net.nz/gitweb?p=samba.git;a=shortlog;h=refs/heads/garming-rodc-wip
>


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [WIP] Re: [PATCH] Some fixes for Samba RODC

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Tue, 2017-04-18 at 17:03 +1200, Garming Sam via samba-technical
wrote:
> Hi,
>
> The next set of RODC patches I am working on resolve most of the
> remaining RODC issues I have outlined. The patches make the RODC
> actually properly get a RWDC connection in winbindd. There are still
> some edge cases where the RODC may reuse old read-only connections,
> so
> that still is yet to be completely resolved.

> The patches allow forwarding of wrong password to a RWDC -- directly
> forwarding which allows for success in NTLM, while using dummy
> password
> fields for Kerberos. Local successes can now be forwarded to the RWDC
> to
> unlock the account across the domain using ResetBadPasswordCount in
> SendToSam (MS-SAMS). The client side code appears to work correctly
> against Windows. The server implementation of the reset bad password
> count in Samba is currently missing an access check to ensure only
> RODC
> cached accounts are modified. Otherwise, it all appears to be
> functional
> (albeit without any written tests).
Attached are the current patches, which I hope to push tomorrow, as
I've reviewed them all.  They make the changes to winbindd required to
implement these important features, and fill a big gap in our RODC
support.

Thanks,

Andrew Bartlett

--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT  
https://catalyst.net.nz/services/samba




rodc-garming.patch.txt (200K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [WIP] Re: [PATCH] Some fixes for Samba RODC

Samba - samba-technical mailing list
On Mon, 2017-05-29 at 10:29 +1200, Andrew Bartlett via samba-technical
wrote:

> On Tue, 2017-04-18 at 17:03 +1200, Garming Sam via samba-technical
> wrote:
> > Hi,
> >
> > The next set of RODC patches I am working on resolve most of the
> > remaining RODC issues I have outlined. The patches make the RODC
> > actually properly get a RWDC connection in winbindd. There are still
> > some edge cases where the RODC may reuse old read-only connections,
> > so
> > that still is yet to be completely resolved.
> > The patches allow forwarding of wrong password to a RWDC -- directly
> > forwarding which allows for success in NTLM, while using dummy
> > password
> > fields for Kerberos. Local successes can now be forwarded to the RWDC
> > to
> > unlock the account across the domain using ResetBadPasswordCount in
> > SendToSam (MS-SAMS). The client side code appears to work correctly
> > against Windows. The server implementation of the reset bad password
> > count in Samba is currently missing an access check to ensure only
> > RODC
> > cached accounts are modified. Otherwise, it all appears to be
> > functional
> > (albeit without any written tests).
>
> Attached are the current patches, which I hope to push tomorrow, as
> I've reviewed them all.  They make the changes to winbindd required to
> implement these important features, and fill a big gap in our RODC
> support.

These are now in autobuild,

Andrew Bartlett

> Thanks,
>
> Andrew Bartlett
>
--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


Loading...