[Samba] Is RODC password replication different from the windows version by design or is it a bug?

Adam Minski aminski316 at gmail.com
Fri Mar 29 09:44:17 UTC 2019

On 03/29/2019 10:37 AM, Andrew Bartlett wrote:
> On Fri, 2019-03-29 at 10:16 +0100, Adam Minski via samba wrote:
>> On 03/28/2019 05:32 PM, Rowland Penny via samba wrote:
>> [...]
>>>> Should the samba RDOC act like the windows version or is it different
>>>> by design?
>>> Yes it should and there is a bug report for something similar already,
>>> see here: https://bugzilla.samba.org/show_bug.cgi?id=13377
>>> I know that is for members of the denied group, but the substance is
>>> the same, users are not getting authenticated on a RODC from a RWDC.
>>> Can you please add to that bug report ?
>>> Rowland
>> Thanks Rowland, that's exactly the topic. Garming Sam has commented it
>> yesterday, the issue is that kerberos forwarding isn't implemented for
>> now. That is exactly what wee seeing, authentication works __after__
>> (from the second attempt on) the initial password sync is done, the
>> first attempt isn't proxied.
> It should work, as long as you are using the internal Heimdal KDC, and
> I thought we even had tests for that.  The KDC propagates up a special
> error code to the processing layer to say 'please proxy this packet to
> a full DC' to trigger that

We use the internal Heimdal KDC, and it doesn't work, at least for 
version 4.9.4. Is there any stuff I can test? Or can you give me an 
entry point to the code? Thanks.


> There are other things we don't fully implement (like forwarding bad
> passwords, we do that by sending a bad NTLM password, not a Kerberos
> one), but this much should work...
> Andrew Bartlett

More information about the samba mailing list