[cifs-protocol] Authenticated at RODC flag? 116112514986292, 116112514986305

[Nathan Manis]

[case mail to cc:, dochelp to bcc:]

Hi Andrew,

Thank you for contacting the open protocols team.  Two cases have been created to assist in answering the questions.   The case numbers are as follows:

	116112514986292,  Authenticated at RODC flag?   Is there a flag lag or special SID that indicated the a session is authenticated at the RODC

	116112514986305,  Where is the fallback to the PDC documented, when a user authenticates (by any means) to an RODC but the password isn't there, or wasn't correct?


A  member of the open protocols team will be in contact to assist further.


Thanks,
Nathan Manis


-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Friday, November 25, 2016 12:18 AM
To: Interoperability Documentation Help <dochelp at microsoft.com>; cifs-protocol at lists.samba.org
Subject: Authenticated at RODC flag?

I remember somewhere there being a flag or special SID that indicated the a session is authenticated at the RODC.  However I can't find any evidence of it.

Is there any such flag, ideally for connections made to the LDAP server, to tell me if the user session was authenticated at the RODC, or if the authentication was passed to the full DC?

I realise I could do a SamLogonEx or Kerberos login and get the logon_sever from the info3/PAC, but I want to know the full set of options I have.

This will help me test the fall-back from the RODC to the full DC for Samba, and the subsequent replication of the secrets (if permitted). 

Also, where is the fallback to the PDC documented, when a user authenticates (by any means) to an RODC but the password isn't there, or wasn't correct?

Thanks,

Andrew Bartlett
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba