Re: [Samba] Is RODC password replication different from the windows version by design or is it a bug?
- Date: Thu, 28 Mar 2019 16:32:03 +0000
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Is RODC password replication different from the windows version by design or is it a bug?
On Thu, 28 Mar 2019 16:31:51 +0100
Adam Minski via samba <samba@xxxxxxxxxxxxxxx> wrote:
> I've tried replacing some 2012R2 RODC by samba-4.9.4 RODCs. One
> question about password replication:
> Samba wiki (https://wiki.samba.org/index.php/Join_a_domain_as_a_RODC)
> states that samba RODC acts as a proxy server to a writable DC if
> users are not member of the Allowed RODC Password Replication Group,
> which is the behavior we knew (and what we want) from the MS RODCs.
Samba when running as an AD computer tries to emulate a Windows AD
computer, it isn't fully there yet, but from my understanding
this should work.
> Our test installation of the samba RODC acts different, users which
> are not members of the Allowed RODC Password Replication Group are
> not able to authenticate. The error messages are "winbind
> authentication for user xxx FAILED with error
> NT_STATUS_REQUEST_NOT_ACCEPTED, authoritative=1"
>From my understanding, if a RODC doesn't know a user, it should ask a
> and "repl secret disallowed for user xxx - not in allowed replication group",
Again, from my understanding, unless the user is in the 'Allowed RODC
Password Replication Group', their password shouldn't be cached locally
on a RODC, so that one is probably correct.
> and they are gone as soon as the user is a member of the allow group.
> In the Samba admin book by Stefan Kania is written that users who are
> not in the allowed group are not able to authenticate via the RODC,
> which is the way our test installation acts.
> Should the samba RDOC act like the windows version or is it different
> by design?
Yes it should and there is a bug report for something similar already,
see here: https://bugzilla.samba.org/show_bug.cgi?id=13377
I know that is for members of the denied group, but the substance is
the same, users are not getting authenticated on a RODC from a RWDC.
Can you please add to that bug report ?
To unsubscribe from this list go to the following URL and read the