NTLM authentication with onsite RODC failing with NT_STATUS_NO_TRUST_SAM_ACCOUNT.

Andrew Bartlett abartlet at samba.org
Sat Nov 5 02:28:53 UTC 2016

On Fri, 2016-11-04 at 21:51 +0000, Hemanth Thummala wrote:
> Thanks Jeremy.
> I am able to fix the issue by adding the machine account to allowed
> RODC password replication group in Password Replication Policy(PRP)
> on RODC.
> Windows NetLogon event message was very obvious. :-)
> If this is the first occurrence of this event for the specified
> computer and account, this may be a transient issue that doesn't
> require any action at this time.  If this is a Read-Only Domain
> Controller and ‘TEST_FS1$' is a legitimate machine account for the
> computer ’TEST_FS1' then ’TEST_FS1' should be marked cacheable for
> this location if appropriate or otherwise ensure connectivity to a
> domain controller  capable of servicing the request (for example a
> writable domain controller).”
> I am aware that we should always have this PRP policy set for machine
> account while performing domain join using RODC(I.e pre-create of
> machine account, etc). Not sure if this is mandatory if we use a
> writable DC for domain join and later use RODC for authentication
> purposes.

Just a note for others who may come across a similar issue:  

Against Samba (rather than Windows) as an RODC, we will by my reading
return NT_STATUS_ACCESS_DENIED and not automatically trigger
replication of the secrets to the RODC.  Both probably need to be
fixed.  (If it ever does NTLM auth to the DC, that will trigger the

A workaround would be to run samba-tool rodc preload on the machine
accounts, initially, and once machine account password change.

Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list