[cifs-protocol] [REG:117052515795463]: Q2of 4: Which change password is proxied from RODC to PDC?

Sreekanth Nadendla srenaden at microsoft.com
Tue Jun 13 21:51:01 UTC 2017

Hello Andrew, below is the answer to your question.

For Windows Vista/Windows Server 2008 or later:
RODC forwards the "Kerberos change password " request to a writable domain controller, where the write actually takes place.

For Windows XP, Windows Server 2003, or Microsoft Windows 2000:
Clients locate a writable domain controller to perform the "Kerberos change password ". RODC has no knowledge of the password change and does not immediately attempt to perform an RSO operation to get the new password. The RODC acquires the passwords for cacheable users when they log on at the RODC.

For more details on various Types of password change operations please review the following article.


Is it expected that RODC should be able to proxy Kerberos change password to the RWDC?
Which change password is proxied from RODC to PDC?
Currently, Samba does proxy authentication, realm trust requests, but are not proxing any password change.

Sreekanth Nadendla
Microsoft Windows Open Specifications

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20170613/196f9647/attachment.html>

More information about the cifs-protocol mailing list