The Samba-Bugzilla – Bug 12773
Computer password change failure makes local secrets.tdb non usable
Last modified: 2017-06-27 17:50:03 UTC
When trying a password change on a member server through a RODC, the local secrets.tdb files is change while the password change on the RWDC through the RODC have not been applied.
However the local secrets.tdb file has been updated. So the machine is effectively out of the domain.
This bug is shown in a RODC scenario, but it is probably more general, that is there is some code path that does not fails early when password change fails
In the case of the samba RODC scenario, a windows member computer password change also fails, but it does not update its local password, so it does not lose its attachment to the domain.
How to reproduce
join a samba member server SRVFILE to the domain
restrict SRVFILE network access to only the rodc
preload the credentials of SRFILE on the rodc
on SRVFILES, run wbinfo -t, it works properly
on SRVFILES, run wbinfo -c, it fails
on SRVFILES, run wbinfo -t fails
The secrets.tdb file on SRVFILE has been updated with a new password, but the password change on the RWDC has not been updated.
The patches for bug #12782 will also fix the "unjoin" of this bug.
Garming: does your commit here:
already work around the problem?
So that we don't even try to change the password against an RODC?
Or is the RODC required to forward the change and we only
have a problem with Samba based RODC's?
(In reply to Stefan Metzmacher from comment #1)
All the other changes I made did not manage to prevent the password change attempt. It should forward the change as far as I know, so it is an issue with Samba RODC. At least with the unjoin prevented, everything will generally work but it shows that cli_credentials need to be pushed out further so that everything else can simply use the old password.