[Samba] RODC and LDAP via Simple Authentication fails

Andrew Bartlett abartlet at samba.org
Mon Jan 22 19:45:53 UTC 2018

On Mon, 2018-01-22 at 20:36 +0100, Johannes Engel via samba wrote:
> Dear all,
> setting up a DMZ environment I was thinking to use an RODC there for
> user authentication. One of the application in the DMZ needs to access
> the directory via LDAP.
> When I tried to connect to the RODC using LDAP with simple bind, I
> always received the following error
> ldap_bind: Invalid credentials (49)
>         additional info: 80090308: LdapErr: DSID-0C0903A9, comment:
> AcceptSecurityContext error, data 6fa, v1db1
> even though the credentials used are correct and do work with the
> "normal" DCs.
> I have already added the corresponding user to the group "Allowed RODC
> Password Replication Group", but that did not change anything...
> Authentication through Kerberos seems to work, but is not an option for
> the application, unfortunately.
> Did I miss anything that prevents my scenario to work by design? Thanks
> a lot for your help!

It should work with the current release, the simple bind should get
converted into an NTLM login and passed along via winbind, so this is
quite odd.  Are you using Samba 4.7?  

(If you are not running 4.7, just take care to upgrade by doing a new
join, not an in-place upgrade due to a linked attribute bug just
reported and fixed). 


Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list