NTLM authentication with onsite RODC failing with NT_STATUS_NO_TRUST_SAM_ACCOUNT.
Andrew Bartlett
abartlet at samba.org
Sat Nov 5 02:28:53 UTC 2016
On Fri, 2016-11-04 at 21:51 +0000, Hemanth Thummala wrote:
> Thanks Jeremy.
> I am able to fix the issue by adding the machine account to allowed
> RODC password replication group in Password Replication Policy(PRP)
> on RODC.
>
> Windows NetLogon event message was very obvious. :-)
>
> "USER ACTION
> If this is the first occurrence of this event for the specified
> computer and account, this may be a transient issue that doesn't
> require any action at this time. If this is a Read-Only Domain
> Controller and ‘TEST_FS1$' is a legitimate machine account for the
> computer ’TEST_FS1' then ’TEST_FS1' should be marked cacheable for
> this location if appropriate or otherwise ensure connectivity to a
> domain controller capable of servicing the request (for example a
> writable domain controller).”
>
> I am aware that we should always have this PRP policy set for machine
> account while performing domain join using RODC(I.e pre-create of
> machine account, etc). Not sure if this is mandatory if we use a
> writable DC for domain join and later use RODC for authentication
> purposes.
Just a note for others who may come across a similar issue:
Against Samba (rather than Windows) as an RODC, we will by my reading
return NT_STATUS_ACCESS_DENIED and not automatically trigger
replication of the secrets to the RODC. Both probably need to be
fixed. (If it ever does NTLM auth to the DC, that will trigger the
replication).
A workaround would be to run samba-tool rodc preload on the machine
accounts, initially, and once machine account password change.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list