[Samba] freeradiusradius password change via ntlm_auth and password replication between multiple DC
kacper.wirski at gmail.com
Sat Jan 27 09:33:39 UTC 2018
I'm testing a setup of:
3 DC's all running samba 4.7, freeradius server 3.0.13 using managed
switches for 802.1X auth for LAN. All clients are windows 7 or 10
machines, with AD obviously as backend. Windows use for 802.1x settings
user and machine "enable single sign-on, authenticate immediately before
I issue I face is this:
- when user password is expired, freeradius is able via ntlm_auth to
change the password. When it does it picks a DC to contact, let's say
DC3. Now DC3 has information about new user password.
- when user continue his logon after password change (press OK on the
"your password has changed" prompt), windows picks on it's own preferred
DC, and if it picks let's say DC2, and password hasn't replicated yet,
user will get "wrong password or username" and will get back to login
User then has to type newly set password again, and will be able to
login without problem (enough time to replicate new password to all
servers). Seems not that terrible, but knowing regular users they will
be very confused and might start typing their "old" password, which is
no longer valid, then lock themselves out (in worst case scenario).
What i gathered so far:
- moment when Windows tries to authenticate user during password change
starts after pressing "OK" on the "Your password has changed" prompt, so
if user waits ~3-5 seconds before pressing OK, he will be logged in
without the error.
I thought, that behaviour should be like this:
- if there is "wrong user password" on DC, that DC should ask DC with
PDC role as confirmation, but it doesn't seem to be the case. How I
tested it? ON freeradius server in smb.conf i set "password server =
DC1.MYDOMAIN.COM" (the one holding PDC FSMO), that way freeradius
changed password always on the DC holding PDC role. So then DC2/3 should
always ask DC1 for re-affirmation if the password is truly invalid,
according to the wiki "Authentication failures on any DC in a domain
caused of a wrong password are forwarded to the PDC emulator, before the
password failure message is reported to the user."
But still, scenario as above happened, that is - user changes password
(on DC1), if user immediately presses "OK" on the "your password has
changed" prompt, "wrong username or password" still happens unless:
- user waits 2-5 seconds (password needs to replicate) OR windows picks
same DC as logonserver that freeradius used.
So my question is:
is the "Authentication failures on any DC in a domain caused of a wrong
password are forwarded to the PDC emulator, before the password failure
message is reported to the user." from wiki not true, or it somehow
doesn't work in this scenario?
Has anyone run into this specific issue and fixed it or made a viable
More information about the samba