Bug 12773 - Computer password change failure makes local secrets.tdb non usable
Computer password change failure makes local secrets.tdb non usable
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind
4.6.3
All All
: P5 normal
: ---
Assigned To: Garming Sam
Samba QA Contact
:
Depends on: 12782
Blocks:
  Show dependency treegraph
 
Reported: 2017-05-05 17:58 UTC by Denis Cardon
Modified: 2017-06-27 17:50 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Denis Cardon 2017-05-05 17:58:00 UTC
When trying a password change on a member server through a RODC, the local secrets.tdb files is change while the password change on the RWDC through the RODC have not been applied.

However the local secrets.tdb file has been updated. So the machine is effectively out of the domain.

This bug is shown in a RODC scenario, but it is probably more general, that is there is some code path that does not fails early when password change fails

In the case of the samba RODC scenario, a windows member computer password change also fails, but it does not update its local password, so it does not lose its attachment to the domain.

How to reproduce
 join a samba member server SRVFILE to the domain
 restrict SRVFILE network access to only the rodc
 preload the credentials of SRFILE on the rodc
 on SRVFILES, run wbinfo -t, it works properly
 on SRVFILES, run wbinfo -c, it fails
 on SRVFILES, run wbinfo -t fails
 
The secrets.tdb file on SRVFILE has been updated with a new password, but the password change on the RWDC has not been updated.
Comment 1 Stefan Metzmacher 2017-06-19 07:10:47 UTC
The patches for bug #12782 will also fix the "unjoin" of this bug.

Garming: does your commit here:
http://git.catalyst.net.nz/gw?p=samba.git;a=commitdiff;h=108aaae12bdcf9d1ac377618c6ab016e7dedb854
already work around the problem?
So that we don't even try to change the password against an RODC?

Or is the RODC required to forward the change and we only
have a problem with Samba based RODC's?
Comment 2 Garming Sam 2017-06-19 21:25:04 UTC
(In reply to Stefan Metzmacher from comment #1)

All the other changes I made did not manage to prevent the password change attempt. It should forward the change as far as I know, so it is an issue with Samba RODC. At least with the unjoin prevented, everything will generally work but it shows that cli_credentials need to be pushed out further so that everything else can simply use the old password.