Web lists-archives.com

[Samba] Is RODC password replication different from the windows version by design or is it a bug?




Hi,

I've tried replacing some 2012R2 RODC by samba-4.9.4 RODCs. One question about password replication:

Samba wiki (https://wiki.samba.org/index.php/Join_a_domain_as_a_RODC) states that samba RODC acts as a proxy server to a writable DC if users are not member of the Allowed RODC Password Replication Group, which is the behavior we knew (and what we want) from the MS RODCs. Our test installation of the samba RODC acts different, users which are not members of the Allowed RODC Password Replication Group are not able to authenticate. The error messages are "winbind authentication for user xxx FAILED with error NT_STATUS_REQUEST_NOT_ACCEPTED, authoritative=1" and "repl secret disallowed for user xxx - not in allowed replication group", and they are gone as soon as the user is a member of the allow group.


In the Samba admin book by Stefan Kania is written that users who are not in the allowed group are not able to authenticate via the RODC, which is the way our test installation acts.


Should the samba RDOC act like the windows version or is it different by design?

Thx.



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba