Page 1 of 1
RODC disconnected from AD
Published: April 21, 2022 - 6:39 PM
by TLa
Hello,
We need a RODC for user authentication on Linux that must work even when the Windows Active Directory is unreachable.
Has anyone managed to achieve this? (I've already spent a lot of time on it!)
The Active Directory is a Windows Server 2019,
Samba4 2:4.13.17~dfsg-0ubuntu0.21.04.1 is running Ubuntu 20.04
, SSS and PAM are configured,
and SSH for a user registered in the Active Directory works correctly. However,
if I add an iptables rule between the Active Directory and Linux, it stops working.
Given that the RODC implementation is fairly recent, is Samba 4.13.17 sufficient?
Thank you for sharing your experiences.
Best regards,
Thierry LARMOIRE.
Re: RODC disconnected from AD
Published: April 22, 2022 - 9:33 AM
by dcardon
Hi Thierry,
there are still a number of bugs in the RODC, particularly with password hash preloading and NTLM authentication forwarding.
Once you have the users in the `rodc allow replication group`, it's best to force preloading on the RODC. Normally, the RODC will retrieve credentials from the RWDC if it doesn't have them (and the user is part of the `rodc allow replication group`), but this doesn't work for NTLM authentication (and other unusual cases).
Does your SSD authentication use NTLM or Kerberos?
Also, be careful with updating machine passwords using WinBind; there was/was a bug where a password change failed on a RODC, but the client still saved its password locally (instead of rolling back).
I don't think there have been many changes to the RODC since version 4.13, but many other bugs have been fixed, and I encourage you to upgrade to a more recent version (at least 4.15 for production, or even 4.16 for testing; version 4.16 also includes djoin support).
Best regards,
Denis
Re: RODC disconnected from AD
Published: April 25, 2022 - 5:01 PM
by TLa
Good morning,
Thank you Denis for this feedback.
"The best thing to do is to force preloading" => with
Code: Select all
samba-tool rodc preload one_user --server=srv-dc1.xxxxxx.yyy --username admin --password admin_password
Is it only possible for one user at a time?
"Does your SSD authentication use NTLM or Kerberos?"
Kerberos, I think:
Code: Select all
[sssd]
domains = xxxxxx.yyy
config_file_version = 2
reconnection_retries = 2
sbus_timeout = 30
services = nss, pam
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/xxxxxx.yyy]
default_shell = /bin/bash
ad_server = t001-mc11-cpu2.xxxxxx.yyy,t001-mc12-cpu2.xxxxxx.yyy,srv-dc1.xxxxxx.yyy
#krb5_store_password_if_offline = True
krb5_store_password_if_offline = False
#cache_credentials = True
cache_credentials = False
krb5_realm = XXXXXX.YYY
realmd_tags = manages-system joined-with-samba
id_provider = ad
fallback_homedir = /var/home/%u@%d
ad_domain = xxxxxx.yyy
use_fully_qualified_names = True
#use_fully_qualified_names = False
ldap_id_mapping = True
#ldap_id_mapping = False
access_provider = ad
auth_provider = ad
ad_gpo_access_control = permissive
dns_resolver_server_timeout = 500
dns_resolver_op_timeout = 1
dns_resolver_timeout = 2
entry_cache_timeout = 60
ldap_search_timeout = 1
ldap_connection_expire_timeout = 60
Ubuntu 22.04 has just been released with
Code: Select all
Package: samba
Architecture: amd64
Version: 2:4.15.5~dfsg-0ubuntu5
I'm going to try again with this version.
RODC state
Is there a way to see the password synchronization status on the RODC, and in which file are they saved (even if encrypted)?
I tried to find out in the 2.5 million lines of source code, but it's not clear who does what!
Best regards,
Thierry.
Re: RODC disconnected from AD
Published: May 10, 2022 - 1:42 PM
by TLa
Good morning,
I answer my own questions
:
- password replication problem:
It is very important to pay attention to groups
--
Replication group whose RODC password is authorized
--
Replication group whose RODC password is rejected
This applies to users
And computers.
attention,
Domain administrators are in the denied group by default.
The problem can be detected by manually launching Samba and pre-loading a user:
Code: Select all
sudo systemctl stop samba-ad-dc
sudo samba --foreground --no-process-group -d 5 --debug-stderr &
sudo samba-tool rodc preload user --server=dc.example.com --username user --password pass
[...]
../../source4/dsdb/repl/drepl_secret.c:49: repl secret disallowed for user CN=dc,OU=Domain Controllers,DC=example,DC=com - not in allowed replication group
- Password replication status:
The passwords are stored in /var/lib/samba/private/sam.ldb.d/DC=example,DC=com.ldb
and we can verify the entries with a password:
Code: Select all
sudo ldbsearch --url /var/lib/samba/private/sam.ldb '(unicodePwd=*)' dn
Best regards,
Thierry.