[Samba] Cannot authenticate via rodc

Rowland penny rpenny at samba.org
Thu Jan 14 09:59:24 UTC 2021


On 14/01/2021 09:41, Adam Xu via samba wrote:
> Hello everybody
>
> I found a strange behavior when I authenticate via RODC.
>
> Suppose there is a user tom. I preload his  credential via:
>
> samba-tool rodc preload tom --server=dc1 -Uadministrator
>
> then I changed tom's password in AD Users and Computers tool.
>
> I do the following step:
>
> 1、I try to login a firewall which use rodc as a ldap server. I got 
> error "NT_STATUS_REQUEST_NOT_ACCEPTED" in json audit log.
>
> 2、when I try to login a windows domain member via tom's credentia. It 
> successed. and I got "NT_STATUS_OK" in json audit log.
>
> 3、I try to login the firewall again. this time, I successed.
>
> It seems that if the device is not a windows domain member, it can not 
> authenticated if the password was changed. Why?
>
This is probably because an RODC doesn't store passwords in the same way 
as a RWDC, it only caches a users info. What I think is happening is 
that when 'tom' tries to login with the new password, it doesn't match 
the one in the cache and then when you login into the Unix domain 
member, this allows time for the cache to be refreshed.

Rowland





More information about the samba mailing list