Web lists-archives.com

Re: [Samba] Is RODC password replication different from the windows version by design or is it a bug?

On 03/29/2019 10:37 AM, Andrew Bartlett wrote:
On Fri, 2019-03-29 at 10:16 +0100, Adam Minski via samba wrote:

On 03/28/2019 05:32 PM, Rowland Penny via samba wrote:


Should the samba RDOC act like the windows version or is it different
by design?

Yes it should and there is a bug report for something similar already,
see here: https://bugzilla.samba.org/show_bug.cgi?id=13377

I know that is for members of the denied group, but the substance is
the same, users are not getting authenticated on a RODC from a RWDC.

Can you please add to that bug report ?


Thanks Rowland, that's exactly the topic. Garming Sam has commented it
yesterday, the issue is that kerberos forwarding isn't implemented for
now. That is exactly what wee seeing, authentication works __after__
(from the second attempt on) the initial password sync is done, the
first attempt isn't proxied.

It should work, as long as you are using the internal Heimdal KDC, and
I thought we even had tests for that.  The KDC propagates up a special
error code to the processing layer to say 'please proxy this packet to
a full DC' to trigger that

We use the internal Heimdal KDC, and it doesn't work, at least for version 4.9.4. Is there any stuff I can test? Or can you give me an entry point to the code? Thanks.


There are other things we don't fully implement (like forwarding bad
passwords, we do that by sending a bad NTLM password, not a Kerberos
one), but this much should work...

Andrew Bartlett

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba