Bug 14984 - changing the machine password against an RODC likely destroys the domain join
Summary: changing the machine password against an RODC likely destroys the domain join
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.15.5
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL: https://gitlab.com/samba-team/samba/-...
Keywords:
Depends on:
Blocks:
 
Reported: 2022-02-21 14:20 UTC by Stefan Metzmacher
Modified: 2022-04-04 12:49 UTC (History)
2 users (show)

See Also:


Attachments
Patches for v4-16-test (10.76 KB, patch)
2022-03-02 10:37 UTC, Stefan Metzmacher
asn: review+
Details
Patches for v4-15-test (10.75 KB, patch)
2022-03-02 10:37 UTC, Stefan Metzmacher
asn: review+
Details
Patches for v4-14-test (11.69 KB, patch)
2022-03-02 10:38 UTC, Stefan Metzmacher
asn: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2022-02-21 14:20:17 UTC
If we send a netr_ServerPasswordSet2() to a (Windows) RODC we may destroy our
domain membership.

The reason is that trust_pw_new_value() generates member server password
with a length from 128 to 255, which means the UTF16 buffer is from 256 to
510 bytes for the samr_CryptPassword/netr_CryptPassword buffers.

These long passwords work fine via SAMR/ldap/netr_ServerPasswordSet2(on an RWDC),
but the problem is the way RODCs proxy netr_ServerPasswordSet2 to RWDCs.
The netr_ServerPasswordSet2 is proxied as PasswordUpdateForward Request Message (MS-SAMS 2.2.4) via NetrLogonSendToSam.

But NetrLogonSendToSam returns NT_STATUS_INVALID_PARAMETER if the password is too long. (I saw a buffer with 302 bytes to be rejected, while 240 bytes where accepted).

240 bytes is the value Windows clients are using, so we better use the same.
It would be good to know the exact limits, but using the same as Windows
is once again the best choice...

Note https://bugzilla.samba.org/show_bug.cgi?id=11900 is related, but it's
a bug report for the RODC itself, while this bug report for domain members.
Comment 1 Stefan Metzmacher 2022-02-21 19:09:31 UTC
(In reply to Stefan Metzmacher from comment #0)

Sorry, I meant it's related to https://bugzilla.samba.org/show_bug.cgi?id=12774
but that's for the RODC server.
Comment 2 Samba QA Contact 2022-02-23 08:50:04 UTC
This bug was referenced in samba master:

576bdb08c51c47c390cc390fbefdcfee275b7f0f
59ac782452c4993274fa837256a8b9c5675e707b
3b91be36581de1007427d539daffdaa62752412d
6bb7c0f24918329804b7f4fb71908e8fab99e266
725c94d57d3d656bc94633dacbac683a4c11d3e6
ad0b5561b492dfa28acfc9604b2358bb8b490703
5e2386336c49fab46c1192db972af5da1e916b32
Comment 3 Stefan Metzmacher 2022-03-02 10:37:10 UTC
Created attachment 17184 [details]
Patches for v4-16-test
Comment 4 Stefan Metzmacher 2022-03-02 10:37:48 UTC
Created attachment 17185 [details]
Patches for v4-15-test
Comment 5 Stefan Metzmacher 2022-03-02 10:38:08 UTC
Created attachment 17186 [details]
Patches for v4-14-test
Comment 6 Andreas Schneider 2022-03-07 10:08:48 UTC
Jule, could you please apply the patches to the corresponding branches? Thanks!
Comment 7 Jule Anger 2022-03-07 10:12:40 UTC
Pushed to autobuild-v4-{16,15,14}-test.
Comment 8 Samba QA Contact 2022-03-07 11:31:04 UTC
This bug was referenced in samba v4-14-test:

00aa1f8bbae0d60f05e4f9064f5f5703af73312b
8c58c14cd66504ffde4cd49e6fb4a4c681957a2f
097dbe8fe86adcb1868bf0f51351b93bedcaf613
fcd3dc4e445a404962fe17e8c5d9e970590e9a8b
98714cc23500ef4d4a37ec82dcd70efd37917555
24d05601ad7517ded8a2a50983c72bf6633c3dab
Comment 9 Samba QA Contact 2022-03-07 11:55:18 UTC
This bug was referenced in samba v4-16-test:

ac61afa50224a2ee6d3b521222b3c5210ba95947
e13a72df5f2f36f4dce5e1a51c0e0b5db2231db0
4872e1af2c1f826631fe45424af16a24dd8809d6
66d8622b6467419e7953100e752f448355e3a3ae
8c9bb2cafd62411cb904a8199e96e3948bbe9c20
a31721982fe63775ab3d0ad7e3dc00f647ffb5cc
5caac70d8d426e1f3afa40d05515d96669f24569
Comment 10 Samba QA Contact 2022-03-07 14:55:20 UTC
This bug was referenced in samba v4-15-test:

ba466f403e483e2e4f45fa8eed47c6273125e2fa
ca3a09a4fe463dc6675053a7551f3d5d467f2dee
eb5855341a1d34d89d1ec42b13d226dbf9dc1b4a
748130b3bd4c0db70aebcc6da649ec77227071ae
8321b9c0ed663a5b598c35e4df03fd2762e00a5f
36caaa10339ac21a66c11bd8814cc1679793a729
08def753517fcf64150ce4973aa44d883c4b5409
Comment 11 Jule Anger 2022-03-07 15:03:59 UTC
Closing out bug report.

Thanks!
Comment 12 Samba QA Contact 2022-03-08 14:57:33 UTC
This bug was referenced in samba v4-16-stable (Release samba-4.16.0rc5):

ac61afa50224a2ee6d3b521222b3c5210ba95947
e13a72df5f2f36f4dce5e1a51c0e0b5db2231db0
4872e1af2c1f826631fe45424af16a24dd8809d6
66d8622b6467419e7953100e752f448355e3a3ae
8c9bb2cafd62411cb904a8199e96e3948bbe9c20
a31721982fe63775ab3d0ad7e3dc00f647ffb5cc
5caac70d8d426e1f3afa40d05515d96669f24569
Comment 13 Samba QA Contact 2022-03-15 13:22:31 UTC
This bug was referenced in samba v4-15-stable (Release samba-4.15.6):

ba466f403e483e2e4f45fa8eed47c6273125e2fa
ca3a09a4fe463dc6675053a7551f3d5d467f2dee
eb5855341a1d34d89d1ec42b13d226dbf9dc1b4a
748130b3bd4c0db70aebcc6da649ec77227071ae
8321b9c0ed663a5b598c35e4df03fd2762e00a5f
36caaa10339ac21a66c11bd8814cc1679793a729
08def753517fcf64150ce4973aa44d883c4b5409
Comment 14 Samba QA Contact 2022-04-04 12:49:39 UTC
This bug was referenced in samba v4-14-stable (Release samba-4.14.13):

00aa1f8bbae0d60f05e4f9064f5f5703af73312b
8c58c14cd66504ffde4cd49e6fb4a4c681957a2f
097dbe8fe86adcb1868bf0f51351b93bedcaf613
fcd3dc4e445a404962fe17e8c5d9e970590e9a8b
98714cc23500ef4d4a37ec82dcd70efd37917555
24d05601ad7517ded8a2a50983c72bf6633c3dab