Bug 12774 - Machine password change does not work on a RODC
Summary: Machine password change does not work on a RODC
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.6.3
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
Depends on:
Reported: 2017-05-05 18:04 UTC by Denis Cardon
Modified: 2022-02-22 15:00 UTC (History)
2 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Denis Cardon 2017-05-05 18:04:54 UTC
how to reproduce
* join a member SRVFILE server to SRVDC
* restrict SRVFILE network access to SRVRODC
* wbinfo -c
* check password changed on the SRVDC, replpropertymedata version has not been incremented
Comment 1 Stefan Metzmacher 2022-02-21 11:35:44 UTC
We need to proxy the netr_ServerPasswordSet2 change as PasswordUpdateForward Request Message (MS-SAMS 2.2.4) via NetrLogonSendToSam to an RWDC and directly replicate the change back via DRSUAPI_EXOP_REPL_SECRET before 
netr_ServerPasswordSet2 returns.

This is what Windows does, but it seems to ignore a possible
NT_STATUS_INVALID_PARAMETER from NetrLogonSendToSam and returns
netr_ServerPasswordSet2() with NT_STATUS_OK.