badPwdCount with RODC
Andrew Bartlett
abartlet at samba.org
Wed Jul 6 06:46:10 UTC 2016
On Wed, 2016-07-06 at 08:07 +0200, Andreas Schneider wrote:
> Hi Andrew,
>
> you worked on bad password count lately. If you run:
>
> make -j test
> TESTS="samba4.krb5.kdc.with.account.ALLOWED.permission.to.replicate.t
> o.an.RODC"
>
> I see a lot of the following messages:
>
> Failed to set badPwdCount and lockoutTime to 0 and/or lastlogon to
> now
> (131122583756306070)
> CN=testallowed,CN=Users,DC=samba,DC=example,DC=com:
> Invalid LDB reply type 1162167621
>
> Maybe you have time to look into that, it doesn't look good.
I'm pretty sure it just means that the modification failed due to a referral, which is what we get (sometimes!) when trying to make changes to the RODC.
It turns our our RODC is pretty broken in other ways, Garming just found a bug where we allow an ADD on an RODC!
Thankfully we have an upcoming client task to 'fix' RODC support (at least in part), so I'll add this to the list of things we sort out.
Thanks!
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list