[Samba] Is RODC password replication different from the windows version by design or is it a bug?
Adam Minski
aminski316 at gmail.com
Thu Mar 28 15:31:51 UTC 2019
Hi,
I've tried replacing some 2012R2 RODC by samba-4.9.4 RODCs. One question
about password replication:
Samba wiki (https://wiki.samba.org/index.php/Join_a_domain_as_a_RODC)
states that samba RODC acts as a proxy server to a writable DC if users
are not member of the Allowed RODC Password Replication Group, which is
the behavior we knew (and what we want) from the MS RODCs. Our test
installation of the samba RODC acts different, users which are not
members of the Allowed RODC Password Replication Group are not able to
authenticate. The error messages are "winbind authentication for user
xxx FAILED with error NT_STATUS_REQUEST_NOT_ACCEPTED, authoritative=1"
and "repl secret disallowed for user xxx - not in allowed replication
group", and they are gone as soon as the user is a member of the allow
group.
In the Samba admin book by Stefan Kania is written that users who are
not in the allowed group are not able to authenticate via the RODC,
which is the way our test installation acts.
Should the samba RDOC act like the windows version or is it different by
design?
Thx.
More information about the samba
mailing list