[Samba] RODC and LDAP via Simple Authentication fails

Mon Jan 22 19:56:36 UTC 2018

Hi Andrew,

I am deeply impressed by your speed! :D

The RODC is actually Samba 4.7.4, the other DCs are still on 4.6.12.

Any suggestion how I can debug this w/o setting everything on level 10? ;)

Best regards
Johannes

Am 22.01.2018 um 20:45 schrieb Andrew Bartlett:
> On Mon, 2018-01-22 at 20:36 +0100, Johannes Engel via samba wrote:
>> Dear all,
>>
>> setting up a DMZ environment I was thinking to use an RODC there for
>> user authentication. One of the application in the DMZ needs to access
>> the directory via LDAP.
>>
>> When I tried to connect to the RODC using LDAP with simple bind, I
>> always received the following error
>>
>> ldap_bind: Invalid credentials (49)
>>         additional info: 80090308: LdapErr: DSID-0C0903A9, comment:
>> AcceptSecurityContext error, data 6fa, v1db1
>>
>> even though the credentials used are correct and do work with the
>> "normal" DCs.
>>
>> I have already added the corresponding user to the group "Allowed RODC
>> Password Replication Group", but that did not change anything...
>>
>> Authentication through Kerberos seems to work, but is not an option for
>> the application, unfortunately.
>>
>> Did I miss anything that prevents my scenario to work by design? Thanks
>> a lot for your help!
> It should work with the current release, the simple bind should get
> converted into an NTLM login and passed along via winbind, so this is
> quite odd.  Are you using Samba 4.7?  
>
> (If you are not running 4.7, just take care to upgrade by doing a new
> join, not an in-place upgrade due to a linked attribute bug just
> reported and fixed). 
>
> Thanks,
>
> Andrew Bartlett
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 512 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20180122/96fbafd8/signature.sig>