[Samba] Is RODC password replication different from the windows version by design or is it a bug?

Adam Minski aminski316 at gmail.com
Thu Mar 28 15:31:51 UTC 2019


I've tried replacing some 2012R2 RODC by samba-4.9.4 RODCs. One question 
about password replication:

Samba wiki (https://wiki.samba.org/index.php/Join_a_domain_as_a_RODC) 
states that samba RODC acts as a proxy server to a writable DC if users 
are not member of the Allowed RODC Password Replication Group, which is 
the behavior we knew (and what we want) from the MS RODCs. Our test 
installation of the samba RODC acts different, users which are not 
members of the Allowed RODC Password Replication Group are not able to 
authenticate. The error messages are "winbind authentication for user 
xxx FAILED with error NT_STATUS_REQUEST_NOT_ACCEPTED, authoritative=1" 
and "repl secret disallowed for user xxx - not in allowed replication 
group", and they are gone as soon as the user is a member of the allow 

In the Samba admin book by Stefan Kania is written that users who are 
not in the allowed group are not able to authenticate via the RODC, 
which is the way our test installation acts.

Should the samba RDOC act like the windows version or is it different by 


More information about the samba mailing list