Web lists-archives.com

[Samba] freeradiusradius password change via ntlm_auth and password replication between multiple DC




Hello,

I'm testing a setup of:

3 DC's all running samba 4.7, freeradius server 3.0.13 using managed switches for 802.1X auth for LAN. All clients are windows 7 or 10 machines, with AD obviously as backend. Windows use for 802.1x settings user and machine "enable single sign-on, authenticate immediately before logon"

I issue I face is this:
- when user password is expired, freeradius is able via ntlm_auth to change the password. When it does it picks a DC to contact, let's say DC3. Now DC3 has information about new user password. - when user continue his logon after password change (press OK on the "your password has changed" prompt), windows picks on it's own preferred DC, and if it picks let's say DC2, and password hasn't replicated yet, user will get "wrong password or username" and will get back to login screen. User then has to type newly set password again, and will be able to login without problem (enough time to replicate new password to all servers). Seems not that terrible, but knowing regular users they will be very confused and might start typing their "old" password, which is no longer valid, then lock themselves out (in worst case scenario).

What i gathered so far:
- moment when Windows tries to authenticate user during password change starts after pressing "OK" on the "Your password has changed" prompt, so if user waits ~3-5 seconds before pressing OK, he will be logged in without the error.

I thought, that behaviour should be like this:
- if there is "wrong user password" on DC, that DC should ask DC with PDC role as confirmation, but it doesn't seem to be the case. How I tested it? ON freeradius server in smb.conf i set "password server = DC1.MYDOMAIN.COM" (the one holding PDC FSMO), that way freeradius changed password always on the DC holding PDC role. So then DC2/3 should always ask DC1 for re-affirmation if the password is truly invalid, according to the wiki "Authentication failures on any DC in a domain caused of a wrong password are forwarded to the PDC emulator, before the password failure message is reported to the user." But still, scenario as above happened, that is - user changes password (on DC1), if user immediately presses "OK" on the "your password has changed" prompt, "wrong username or password" still happens unless: - user waits 2-5 seconds (password needs to replicate) OR windows picks same DC as logonserver that freeradius used.


So my question is:
is the "Authentication failures on any DC in a domain caused of a wrong password are forwarded to the PDC emulator, before the password failure message is reported to the user." from wiki not true, or it somehow doesn't work in this scenario?

Has anyone run into this specific issue and fixed it or made a viable workaround?

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba