[Samba] Is RODC password replication different from the windows version by design or is it a bug?
- Date: Thu, 28 Mar 2019 16:31:51 +0100
- From: Adam Minski via samba <samba@xxxxxxxxxxxxxxx>
- Subject: [Samba] Is RODC password replication different from the windows version by design or is it a bug?
I've tried replacing some 2012R2 RODC by samba-4.9.4 RODCs. One question
about password replication:
Samba wiki (https://wiki.samba.org/index.php/Join_a_domain_as_a_RODC)
states that samba RODC acts as a proxy server to a writable DC if users
are not member of the Allowed RODC Password Replication Group, which is
the behavior we knew (and what we want) from the MS RODCs. Our test
installation of the samba RODC acts different, users which are not
members of the Allowed RODC Password Replication Group are not able to
authenticate. The error messages are "winbind authentication for user
xxx FAILED with error NT_STATUS_REQUEST_NOT_ACCEPTED, authoritative=1"
and "repl secret disallowed for user xxx - not in allowed replication
group", and they are gone as soon as the user is a member of the allow
In the Samba admin book by Stefan Kania is written that users who are
not in the allowed group are not able to authenticate via the RODC,
which is the way our test installation acts.
Should the samba RDOC act like the windows version or is it different by
To unsubscribe from this list go to the following URL and read the