[cifs-protocol] Authenticated at RODC flag?

Andrew Bartlett abartlet at samba.org
Fri Nov 25 05:18:27 UTC 2016

I remember somewhere there being a flag or special SID that indicated
the a session is authenticated at the RODC.  However I can't find any
evidence of it.

Is there any such flag, ideally for connections made to the LDAP
server, to tell me if the user session was authenticated at the RODC,
or if the authentication was passed to the full DC?

I realise I could do a SamLogonEx or Kerberos login and get the
logon_sever from the info3/PAC, but I want to know the full set of
options I have.

This will help me test the fall-back from the RODC to the full DC for
Samba, and the subsequent replication of the secrets (if permitted). 

Also, where is the fallback to the PDC documented, when a user
authenticates (by any means) to an RODC but the password isn't there,
or wasn't correct?


Andrew Bartlett
Andrew Bartlett
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   

More information about the cifs-protocol mailing list