[Samba] Is RODC password replication different from the windows version by design or is it a bug?
abartlet at samba.org
Fri Mar 29 09:37:30 UTC 2019
On Fri, 2019-03-29 at 10:16 +0100, Adam Minski via samba wrote:
> On 03/28/2019 05:32 PM, Rowland Penny via samba wrote:
> > > Should the samba RDOC act like the windows version or is it different
> > > by design?
> > >
> > Yes it should and there is a bug report for something similar already,
> > see here: https://bugzilla.samba.org/show_bug.cgi?id=13377
> > I know that is for members of the denied group, but the substance is
> > the same, users are not getting authenticated on a RODC from a RWDC.
> > Can you please add to that bug report ?
> > Rowland
> Thanks Rowland, that's exactly the topic. Garming Sam has commented it
> yesterday, the issue is that kerberos forwarding isn't implemented for
> now. That is exactly what wee seeing, authentication works __after__
> (from the second attempt on) the initial password sync is done, the
> first attempt isn't proxied.
It should work, as long as you are using the internal Heimdal KDC, and
I thought we even had tests for that. The KDC propagates up a special
error code to the processing layer to say 'please proxy this packet to
a full DC' to trigger that
There are other things we don't fully implement (like forwarding bad
passwords, we do that by sending a bad NTLM password, not a Kerberos
one), but this much should work...
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba