Web lists-archives.com

Re: [Samba] Is RODC password replication different from the windows version by design or is it a bug?




On Fri, 2019-03-29 at 10:16 +0100, Adam Minski via samba wrote:
> 
> On 03/28/2019 05:32 PM, Rowland Penny via samba wrote:
> 
> [...]
> 
> > > Should the samba RDOC act like the windows version or is it different
> > > by design?
> > > 
> > 
> > Yes it should and there is a bug report for something similar already,
> > see here: https://bugzilla.samba.org/show_bug.cgi?id=13377
> > 
> > I know that is for members of the denied group, but the substance is
> > the same, users are not getting authenticated on a RODC from a RWDC.
> > 
> > Can you please add to that bug report ?
> > 
> > Rowland
> > 
> > 
> 
> Thanks Rowland, that's exactly the topic. Garming Sam has commented it 
> yesterday, the issue is that kerberos forwarding isn't implemented for 
> now. That is exactly what wee seeing, authentication works __after__ 
> (from the second attempt on) the initial password sync is done, the 
> first attempt isn't proxied.

It should work, as long as you are using the internal Heimdal KDC, and
I thought we even had tests for that.  The KDC propagates up a special
error code to the processing layer to say 'please proxy this packet to
a full DC' to trigger that

There are other things we don't fully implement (like forwarding bad
passwords, we do that by sending a bad NTLM password, not a Kerberos
one), but this much should work...

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba