[Samba] RODC in remote Site

Christian Naumer cn at brain-biotech.de
Mon Feb 15 20:12:02 UTC 2021 


Am 15.02.21 um 15:48 schrieb cn--- via samba:

> I can wbinfo -u/-g and get all infos. I can auth with wbinfo -a all 
> users that are preloaded and are in "Allowed RODC Password Replication 
> Group". However, if a user is not preloaded auth fails.
> 
> 
> [root at rodc ~]# wbinfo -a bir
> Enter bir's password:
> plaintext password authentication failed
> Could not authenticate user bir with plaintext password
> Enter bir's password:
> challenge/response password authentication failed
> wbcAuthenticateUserEx(DOMAIN-02\bir): error code was 
> NT_STATUS_ACCESS_DENIED (0xc0000022, authoritative=0)
> error message was: {Access Denied} A process has requested access to an 
> object but has not been granted those access rights.
> Could not authenticate user bir with challenge/response
> 
> While in the logs I see many of this:
> 
> Feb 15 15:43:30 rodc.hq.domain.de winbindd[34442]: [2021/02/15 
> 15:43:30.146704,  1] 
> ../../source3/winbindd/winbindd_cm.c:1310(cm_prepare_connection)
> Feb 15 15:43:30 rodc.hq.domain.de winbindd[34442]:   Failed to prepare 
> SMB connection to dc2.hq.domain.de: NT_STATUS_ACCESS_DENIED
> 
> And finally this:
> 
> Feb 15 15:43:30 rodc.hq.domain.de winbindd[34442]: [2021/02/15 
> 15:43:30.147548,  2] 
> ../../auth/auth_log.c:653(log_authentication_event_human_readable)
> Feb 15 15:43:30 rodc.hq.domain.de winbindd[34442]:   Auth: 
> [winbind,NTLM_AUTH, wbinfo, 34390] user [DOMAIN-02]\[bir] at [Mon, 15 
> Feb 2021 15:43:30.147532 CET] with [NTLMv2] status 
> [NT_STATUS_ACCESS_DENIED] workstation [RODC] remote host [unix:] mapped 
> to [(null)]\[(null)]. local host [unix:]
> 
> 
> This works if the user is preladed.

Lets focus on this one. Should an RODC be able to auth any user 
regardless if they are in the Allowed RODC Password Replication Group? 
As far as I understood any users not in that group are then passed to 
normal DC to auth. Is this correct?

Regards

-- 
Dr. Christian Naumer
Vice President
Unit Head Bioprocess Development

B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
phone +49-6251-9331-30 / fax +49-6251-9331-11

Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Adriaan Moelker (Vorstandsvorsitzender), 
Lukas Linnig
Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen

More information about the samba mailing list