Adam Minski
2019-Mar-29 09:16 UTC
[Samba] Is RODC password replication different from the windows version by design or is it a bug?
On 03/28/2019 05:32 PM, Rowland Penny via samba wrote: [...]>> Should the samba RDOC act like the windows version or is it different >> by design? >> > > Yes it should and there is a bug report for something similar already, > see here: https://bugzilla.samba.org/show_bug.cgi?id=13377 > > I know that is for members of the denied group, but the substance is > the same, users are not getting authenticated on a RODC from a RWDC. > > Can you please add to that bug report ? > > Rowland > >Thanks Rowland, that's exactly the topic. Garming Sam has commented it yesterday, the issue is that kerberos forwarding isn't implemented for now. That is exactly what wee seeing, authentication works __after__ (from the second attempt on) the initial password sync is done, the first attempt isn't proxied. Adam
Andrew Bartlett
2019-Mar-29 09:37 UTC
[Samba] Is RODC password replication different from the windows version by design or is it a bug?
On Fri, 2019-03-29 at 10:16 +0100, Adam Minski via samba wrote:> > On 03/28/2019 05:32 PM, Rowland Penny via samba wrote: > > [...] > > > > Should the samba RDOC act like the windows version or is it different > > > by design? > > > > > > > Yes it should and there is a bug report for something similar already, > > see here: https://bugzilla.samba.org/show_bug.cgi?id=13377 > > > > I know that is for members of the denied group, but the substance is > > the same, users are not getting authenticated on a RODC from a RWDC. > > > > Can you please add to that bug report ? > > > > Rowland > > > > > > Thanks Rowland, that's exactly the topic. Garming Sam has commented it > yesterday, the issue is that kerberos forwarding isn't implemented for > now. That is exactly what wee seeing, authentication works __after__ > (from the second attempt on) the initial password sync is done, the > first attempt isn't proxied.It should work, as long as you are using the internal Heimdal KDC, and I thought we even had tests for that. The KDC propagates up a special error code to the processing layer to say 'please proxy this packet to a full DC' to trigger that There are other things we don't fully implement (like forwarding bad passwords, we do that by sending a bad NTLM password, not a Kerberos one), but this much should work... Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Adam Minski
2019-Mar-29 09:44 UTC
[Samba] Is RODC password replication different from the windows version by design or is it a bug?
On 03/29/2019 10:37 AM, Andrew Bartlett wrote:> On Fri, 2019-03-29 at 10:16 +0100, Adam Minski via samba wrote: >> >> On 03/28/2019 05:32 PM, Rowland Penny via samba wrote: >> >> [...] >> >>>> Should the samba RDOC act like the windows version or is it different >>>> by design? >>>> >>> >>> Yes it should and there is a bug report for something similar already, >>> see here: https://bugzilla.samba.org/show_bug.cgi?id=13377 >>> >>> I know that is for members of the denied group, but the substance is >>> the same, users are not getting authenticated on a RODC from a RWDC. >>> >>> Can you please add to that bug report ? >>> >>> Rowland >>> >>> >> >> Thanks Rowland, that's exactly the topic. Garming Sam has commented it >> yesterday, the issue is that kerberos forwarding isn't implemented for >> now. That is exactly what wee seeing, authentication works __after__ >> (from the second attempt on) the initial password sync is done, the >> first attempt isn't proxied. > > It should work, as long as you are using the internal Heimdal KDC, and > I thought we even had tests for that. The KDC propagates up a special > error code to the processing layer to say 'please proxy this packet to > a full DC' to trigger thatWe use the internal Heimdal KDC, and it doesn't work, at least for version 4.9.4. Is there any stuff I can test? Or can you give me an entry point to the code? Thanks. Adam> > There are other things we don't fully implement (like forwarding bad > passwords, we do that by sending a bad NTLM password, not a Kerberos > one), but this much should work... > > Andrew Bartlett >
Reasonably Related Threads
- Is RODC password replication different from the windows version by design or is it a bug?
- Is RODC password replication different from the windows version by design or is it a bug?
- Is RODC password replication different from the windows version by design or is it a bug?
- Is RODC password replication different from the windows version by design or is it a bug?
- Is RODC password replication different from the windows version by design or is it a bug?