[Samba] Cannot authenticate via rodc

Adam Xu adam_xu at adagene.com.cn
Fri Jan 15 00:56:56 UTC 2021

在 2021/1/14 17:59, Rowland penny via samba 写道:
> On 14/01/2021 09:41, Adam Xu via samba wrote:
>> Hello everybody
>> I found a strange behavior when I authenticate via RODC.
>> Suppose there is a user tom. I preload his  credential via:
>> samba-tool rodc preload tom --server=dc1 -Uadministrator
>> then I changed tom's password in AD Users and Computers tool.
>> I do the following step:
>> 1、I try to login a firewall which use rodc as a ldap server. I got 
>> error "NT_STATUS_REQUEST_NOT_ACCEPTED" in json audit log.
>> 2、when I try to login a windows domain member via tom's credentia. It 
>> successed. and I got "NT_STATUS_OK" in json audit log.
>> 3、I try to login the firewall again. this time, I successed.
>> It seems that if the device is not a windows domain member, it can 
>> not authenticated if the password was changed. Why?
> This is probably because an RODC doesn't store passwords in the same 
> way as a RWDC, it only caches a users info. What I think is happening 
> is that when 'tom' tries to login with the new password, it doesn't 
> match the one in the cache and then when you login into the Unix 
> domain member, this allows time for the cache to be refreshed.

Hi Rowland

from your description, I think even a user is in the "Allowed RODC 
Password Replication Group", RODC still can not cache the user's new 
password automatically.

Only when the user try to login into the domain member, The RODC will 
cache the user's new password, So the RODC is not a good solution for 
the network device as a ldap server. is that Right?

> Rowland

More information about the samba mailing list