badPwdCount with RODC

Andrew Bartlett abartlet at samba.org
Wed Jul 6 06:46:10 UTC 2016


On Wed, 2016-07-06 at 08:07 +0200, Andreas Schneider wrote:
> Hi Andrew,
> 
> you worked on bad password count lately. If you run:
> 
> make -j test 
> TESTS="samba4.krb5.kdc.with.account.ALLOWED.permission.to.replicate.t
> o.an.RODC"
> 
> I see a lot of the following messages:
> 
> Failed to set badPwdCount and lockoutTime to 0 and/or  lastlogon to
> now 
> (131122583756306070)
> CN=testallowed,CN=Users,DC=samba,DC=example,DC=com: 
> Invalid LDB reply type 1162167621
> 
> Maybe you have time to look into that, it doesn't look good.

I'm pretty sure it just means that the modification failed due to a referral, which is what we get (sometimes!) when trying to make changes to the RODC.

It turns our our RODC is pretty broken in other ways, Garming just found a bug where we allow an ADD on an RODC!

Thankfully we have an upcoming client task to 'fix' RODC support (at least in part), so I'll add this to the list of things we sort out.

Thanks!

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba






More information about the samba-technical mailing list