badPwdCount with RODC

Andrew Bartlett abartlet at
Wed Jul 6 06:46:10 UTC 2016

On Wed, 2016-07-06 at 08:07 +0200, Andreas Schneider wrote:
> Hi Andrew,
> you worked on bad password count lately. If you run:
> make -j test 
> I see a lot of the following messages:
> Failed to set badPwdCount and lockoutTime to 0 and/or  lastlogon to
> now 
> (131122583756306070)
> CN=testallowed,CN=Users,DC=samba,DC=example,DC=com: 
> Invalid LDB reply type 1162167621
> Maybe you have time to look into that, it doesn't look good.

I'm pretty sure it just means that the modification failed due to a referral, which is what we get (sometimes!) when trying to make changes to the RODC.

It turns our our RODC is pretty broken in other ways, Garming just found a bug where we allow an ADD on an RODC!

Thankfully we have an upcoming client task to 'fix' RODC support (at least in part), so I'll add this to the list of things we sort out.


Andrew Bartlett

Andrew Bartlett             
Authentication Developer, Samba Team
Samba Developer, Catalyst IT

More information about the samba-technical mailing list