If we send a netr_ServerPasswordSet2() to a (Windows) RODC we may destroy our domain membership. The reason is that trust_pw_new_value() generates member server password with a length from 128 to 255, which means the UTF16 buffer is from 256 to 510 bytes for the samr_CryptPassword/netr_CryptPassword buffers. These long passwords work fine via SAMR/ldap/netr_ServerPasswordSet2(on an RWDC), but the problem is the way RODCs proxy netr_ServerPasswordSet2 to RWDCs. The netr_ServerPasswordSet2 is proxied as PasswordUpdateForward Request Message (MS-SAMS 2.2.4) via NetrLogonSendToSam. But NetrLogonSendToSam returns NT_STATUS_INVALID_PARAMETER if the password is too long. (I saw a buffer with 302 bytes to be rejected, while 240 bytes where accepted). 240 bytes is the value Windows clients are using, so we better use the same. It would be good to know the exact limits, but using the same as Windows is once again the best choice... Note https://bugzilla.samba.org/show_bug.cgi?id=11900 is related, but it's a bug report for the RODC itself, while this bug report for domain members.
(In reply to Stefan Metzmacher from comment #0) Sorry, I meant it's related to https://bugzilla.samba.org/show_bug.cgi?id=12774 but that's for the RODC server.
This bug was referenced in samba master: 576bdb08c51c47c390cc390fbefdcfee275b7f0f 59ac782452c4993274fa837256a8b9c5675e707b 3b91be36581de1007427d539daffdaa62752412d 6bb7c0f24918329804b7f4fb71908e8fab99e266 725c94d57d3d656bc94633dacbac683a4c11d3e6 ad0b5561b492dfa28acfc9604b2358bb8b490703 5e2386336c49fab46c1192db972af5da1e916b32
Created attachment 17184 [details] Patches for v4-16-test
Created attachment 17185 [details] Patches for v4-15-test
Created attachment 17186 [details] Patches for v4-14-test
Jule, could you please apply the patches to the corresponding branches? Thanks!
Pushed to autobuild-v4-{16,15,14}-test.
This bug was referenced in samba v4-14-test: 00aa1f8bbae0d60f05e4f9064f5f5703af73312b 8c58c14cd66504ffde4cd49e6fb4a4c681957a2f 097dbe8fe86adcb1868bf0f51351b93bedcaf613 fcd3dc4e445a404962fe17e8c5d9e970590e9a8b 98714cc23500ef4d4a37ec82dcd70efd37917555 24d05601ad7517ded8a2a50983c72bf6633c3dab
This bug was referenced in samba v4-16-test: ac61afa50224a2ee6d3b521222b3c5210ba95947 e13a72df5f2f36f4dce5e1a51c0e0b5db2231db0 4872e1af2c1f826631fe45424af16a24dd8809d6 66d8622b6467419e7953100e752f448355e3a3ae 8c9bb2cafd62411cb904a8199e96e3948bbe9c20 a31721982fe63775ab3d0ad7e3dc00f647ffb5cc 5caac70d8d426e1f3afa40d05515d96669f24569
This bug was referenced in samba v4-15-test: ba466f403e483e2e4f45fa8eed47c6273125e2fa ca3a09a4fe463dc6675053a7551f3d5d467f2dee eb5855341a1d34d89d1ec42b13d226dbf9dc1b4a 748130b3bd4c0db70aebcc6da649ec77227071ae 8321b9c0ed663a5b598c35e4df03fd2762e00a5f 36caaa10339ac21a66c11bd8814cc1679793a729 08def753517fcf64150ce4973aa44d883c4b5409
Closing out bug report. Thanks!
This bug was referenced in samba v4-16-stable (Release samba-4.16.0rc5): ac61afa50224a2ee6d3b521222b3c5210ba95947 e13a72df5f2f36f4dce5e1a51c0e0b5db2231db0 4872e1af2c1f826631fe45424af16a24dd8809d6 66d8622b6467419e7953100e752f448355e3a3ae 8c9bb2cafd62411cb904a8199e96e3948bbe9c20 a31721982fe63775ab3d0ad7e3dc00f647ffb5cc 5caac70d8d426e1f3afa40d05515d96669f24569
This bug was referenced in samba v4-15-stable (Release samba-4.15.6): ba466f403e483e2e4f45fa8eed47c6273125e2fa ca3a09a4fe463dc6675053a7551f3d5d467f2dee eb5855341a1d34d89d1ec42b13d226dbf9dc1b4a 748130b3bd4c0db70aebcc6da649ec77227071ae 8321b9c0ed663a5b598c35e4df03fd2762e00a5f 36caaa10339ac21a66c11bd8814cc1679793a729 08def753517fcf64150ce4973aa44d883c4b5409
This bug was referenced in samba v4-14-stable (Release samba-4.14.13): 00aa1f8bbae0d60f05e4f9064f5f5703af73312b 8c58c14cd66504ffde4cd49e6fb4a4c681957a2f 097dbe8fe86adcb1868bf0f51351b93bedcaf613 fcd3dc4e445a404962fe17e8c5d9e970590e9a8b 98714cc23500ef4d4a37ec82dcd70efd37917555 24d05601ad7517ded8a2a50983c72bf6633c3dab