[Samba] Is RODC password replication different from the windows version by design or is it a bug?

Andrew Bartlett abartlet at samba.org
Fri Mar 29 09:37:30 UTC 2019

On Fri, 2019-03-29 at 10:16 +0100, Adam Minski via samba wrote:
> On 03/28/2019 05:32 PM, Rowland Penny via samba wrote:
> [...]
> > > Should the samba RDOC act like the windows version or is it different
> > > by design?
> > > 
> > 
> > Yes it should and there is a bug report for something similar already,
> > see here: https://bugzilla.samba.org/show_bug.cgi?id=13377
> > 
> > I know that is for members of the denied group, but the substance is
> > the same, users are not getting authenticated on a RODC from a RWDC.
> > 
> > Can you please add to that bug report ?
> > 
> > Rowland
> > 
> > 
> Thanks Rowland, that's exactly the topic. Garming Sam has commented it 
> yesterday, the issue is that kerberos forwarding isn't implemented for 
> now. That is exactly what wee seeing, authentication works __after__ 
> (from the second attempt on) the initial password sync is done, the 
> first attempt isn't proxied.

It should work, as long as you are using the internal Heimdal KDC, and
I thought we even had tests for that.  The KDC propagates up a special
error code to the processing layer to say 'please proxy this packet to
a full DC' to trigger that

There are other things we don't fully implement (like forwarding bad
passwords, we do that by sending a bad NTLM password, not a Kerberos
one), but this much should work...

Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list