machine password change on memberserver on RODC site

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

machine password change on memberserver on RODC site

Denis Cardon-2
Hi everyone,

While testing RODC (4.7 git-head with Garming recent patches), I came
thought an issue with machine password secret update on memberserver
quite similar to https://bugzilla.samba.org/show_bug.cgi?id=12262 .

I have ran into that bug previously on RWDC sites, but patches have made
their way in 4.6, so I am wondering if this is specific to RODC sites.

# samba -V
Version 4.6.0

# net ads join -U dcardon-adm --server=dc-nantes
Enter dcardon-adm's password:
Using short domain name -- TRANQUILIT
Joined 'TEST-SRVFIC' to dns domain 'tranquilit.lan'

# wbinfo -t
checking the trust secret for domain TRANQUILIT via RPC calls succeeded

# net ads testjoin
Join is OK

# killall -9 smbd ; killall -9 winbindd

# winbindd ; smbd

# net ads testjoin
Join is OK

# wbinfo -t
checking the trust secret for domain TRANQUILIT via RPC calls succeeded

# wbinfo -c
changing the trust secret for domain TRANQUILIT via RPC calls failed
failed to call wbcChangeTrustCredentials: WBC_ERR_DOMAIN_NOT_FOUND
Could not change secret

# net ads testjoin
kerberos_kinit_password TEST-SRVFIC$@TRANQUILIT.LAN failed:
Preauthentication failed
kerberos_kinit_password TEST-SRVFIC$@TRANQUILIT.LAN failed:
Preauthentication failed
Join to domain is not valid: Logon failure

Cheers,

Denis


--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint SĂ©bastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr


Reply | Threaded
Open this post in threaded view
|

Re: machine password change on memberserver on RODC site

Stefan Metzmacher-2
Hi Denis,

> While testing RODC (4.7 git-head with Garming recent patches), I came
> thought an issue with machine password secret update on memberserver
> quite similar to https://bugzilla.samba.org/show_bug.cgi?id=12262 .

I don't think the problem is a wrong encoding of the password,
so it's not really related to that bug. I guess there's another
reason why the password gets out of sync.

> I have ran into that bug previously on RWDC sites, but patches have made
> their way in 4.6, so I am wondering if this is specific to RODC sites.
>
> # samba -V
> Version 4.6.0
>
> # net ads join -U dcardon-adm --server=dc-nantes
> Enter dcardon-adm's password:
> Using short domain name -- TRANQUILIT
> Joined 'TEST-SRVFIC' to dns domain 'tranquilit.lan'
>
> # wbinfo -t
> checking the trust secret for domain TRANQUILIT via RPC calls succeeded
>
> # net ads testjoin
> Join is OK
>
> # killall -9 smbd ; killall -9 winbindd
>
> # winbindd ; smbd
>
> # net ads testjoin
> Join is OK
>
> # wbinfo -t
> checking the trust secret for domain TRANQUILIT via RPC calls succeeded
>
> # wbinfo -c
> changing the trust secret for domain TRANQUILIT via RPC calls failed
> failed to call wbcChangeTrustCredentials: WBC_ERR_DOMAIN_NOT_FOUND
> Could not change secret
I guess you'll see in the logs that the password
was changed locally, but failed on the server.

We'd have to see how it works against a Windows RODC,
should the member detect the RODC and to the password
change against a RWDC?

Or should the RODC forward the request to the RODC?

It's also possible that the password is in fact changed correctly
on an RWDC, but not yet replicate back to the RODC.

> # net ads testjoin
> kerberos_kinit_password TEST-SRVFIC$@TRANQUILIT.LAN failed:
> Preauthentication failed
> kerberos_kinit_password TEST-SRVFIC$@TRANQUILIT.LAN failed:
> Preauthentication failed
> Join to domain is not valid: Logon failure

net ads testjoin and winbindd are both not able to fallback to
use the previous machine password (yet).

I guess wbinfo -t and net rpc testjoin would still
be successful, because they can use the previous password.

metze


signature.asc (853 bytes) Download Attachment