samba - Jan 2021 - Cannot authenticate via rodc

Hello everybody

I found a strange behavior when I authenticate via RODC.

Suppose there is a user tom. I preload his? credential via:

samba-tool rodc preload tom --server=dc1 -Uadministrator

then I changed tom's password in AD Users and Computers tool.

I do the following step:

1?I try to login a firewall which use rodc as a ldap server. I got error 
"NT_STATUS_REQUEST_NOT_ACCEPTED" in json audit log.

2?when I try to login a windows domain member via tom's credentia. It 
successed. and I got "NT_STATUS_OK" in json audit log.

3?I try to login the firewall again. this time, I successed.

It seems that if the device is not a windows domain member, it can not 
authenticated if the password was changed. Why?

On 14/01/2021 09:41, Adam Xu via samba wrote:
> Hello everybody
>
> I found a strange behavior when I authenticate via RODC.
>
> Suppose there is a user tom. I preload his? credential via:
>
> samba-tool rodc preload tom --server=dc1 -Uadministrator
>
> then I changed tom's password in AD Users and Computers tool.
>
> I do the following step:
>
> 1?I try to login a firewall which use rodc as a ldap server. I got 
> error "NT_STATUS_REQUEST_NOT_ACCEPTED" in json audit log.
>
> 2?when I try to login a windows domain member via tom's credentia. It 
> successed. and I got "NT_STATUS_OK" in json audit log.
>
> 3?I try to login the firewall again. this time, I successed.
>
> It seems that if the device is not a windows domain member, it can not 
> authenticated if the password was changed. Why?
>
This is probably because an RODC doesn't store passwords in the same way 
as a RWDC, it only caches a users info. What I think is happening is 
that when 'tom' tries to login with the new password, it doesn't
match
the one in the cache and then when you login into the Unix domain 
member, this allows time for the cache to be refreshed.

Rowland