Web lists-archives.com

Re: [Samba] Is RODC password replication different from the windows version by design or is it a bug?




On Thu, 28 Mar 2019 16:31:51 +0100
Adam Minski via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hi,
> 
> I've tried replacing some 2012R2 RODC by samba-4.9.4 RODCs. One
> question about password replication:
> 
> Samba wiki (https://wiki.samba.org/index.php/Join_a_domain_as_a_RODC) 
> states that samba RODC acts as a proxy server to a writable DC if
> users are not member of the Allowed RODC Password Replication Group,
> which is the behavior we knew (and what we want) from the MS RODCs.

Samba when running as an AD computer tries to emulate a Windows AD
computer, it isn't fully there yet, but from my understanding
this should work.

> Our test installation of the samba RODC acts different, users which
> are not members of the Allowed RODC Password Replication Group are
> not able to authenticate. The error messages are "winbind
> authentication for user xxx FAILED with error
> NT_STATUS_REQUEST_NOT_ACCEPTED, authoritative=1" 

>From my understanding, if a RODC doesn't know a user, it should ask a
RWDC

> and "repl secret disallowed for user xxx - not in allowed replication group",

Again, from my understanding, unless the user is in the 'Allowed RODC
Password Replication Group', their password shouldn't be cached locally
on a RODC, so that one is probably correct.

> and they are gone as soon as the user is a member of the allow group.
> 
> In the Samba admin book by Stefan Kania is written that users who are 
> not in the allowed group are not able to authenticate via the RODC, 
> which is the way our test installation acts.
> 
> 
> Should the samba RDOC act like the windows version or is it different
> by design?
> 

Yes it should and there is a bug report for something similar already,
see here: https://bugzilla.samba.org/show_bug.cgi?id=13377

I know that is for members of the denied group, but the substance is
the same, users are not getting authenticated on a RODC from a RWDC.

Can you please add to that bug report ?

Rowland


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba