[Samba] freeradiusradius password change via ntlm_auth and password replication between multiple DC

Sat Jan 27 09:33:39 UTC 2018

Hello,

I'm testing a setup of:

3 DC's all running samba 4.7, freeradius server 3.0.13 using managed 
switches for 802.1X auth for LAN. All clients are windows 7 or 10 
machines, with AD obviously as backend. Windows use for 802.1x settings 
user and machine "enable single sign-on, authenticate immediately before 
logon"

I issue I face is this:
- when user password is expired, freeradius is able via ntlm_auth to 
change the password. When it does it picks a DC to contact, let's say 
DC3. Now DC3 has information about new user password.
- when user continue his logon after password change (press OK on the 
"your password has changed" prompt), windows picks on it's own preferred 
DC, and if it picks let's say DC2, and password hasn't replicated yet, 
user will get "wrong password or username" and will get back to login 
screen.
User then has to type newly set password again, and will be able to 
login without problem (enough time to replicate new password to all 
servers). Seems not that terrible, but knowing regular users they will 
be very confused and might start typing their "old" password, which is 
no longer valid, then lock themselves out (in worst case scenario).

What i gathered so far:
- moment when Windows tries to authenticate user during password change 
starts after pressing "OK" on the "Your password has changed" prompt, so 
if user waits ~3-5 seconds before pressing OK, he will be logged in 
without the error.

I thought, that behaviour should be like this:
- if there is "wrong user password" on DC, that DC should ask DC with 
PDC role as confirmation, but it doesn't seem to be the case. How I 
tested it? ON freeradius server in smb.conf i set "password server = 
DC1.MYDOMAIN.COM" (the one holding PDC FSMO), that way freeradius 
changed password always on the DC holding PDC role. So then DC2/3 should 
always ask DC1 for re-affirmation if the password is truly invalid, 
according to the wiki "Authentication failures on any DC in a domain 
caused of a wrong password are forwarded to the PDC emulator, before the 
password failure message is reported to the user."
But still, scenario as above happened, that is - user changes password 
(on DC1), if user immediately presses "OK" on the "your password has 
changed" prompt, "wrong username or password" still happens unless:
- user waits 2-5 seconds (password needs to replicate) OR windows picks 
same DC as logonserver that freeradius used.

So my question is:
is the "Authentication failures on any DC in a domain caused of a wrong 
password are forwarded to the PDC emulator, before the password failure 
message is reported to the user." from wiki not true, or it somehow 
doesn't work in this scenario?

Has anyone run into this specific issue and fixed it or made a viable 
workaround?