Adam Minski
2019-Mar-28 15:31 UTC
[Samba] Is RODC password replication different from the windows version by design or is it a bug?
Hi, I've tried replacing some 2012R2 RODC by samba-4.9.4 RODCs. One question about password replication: Samba wiki (https://wiki.samba.org/index.php/Join_a_domain_as_a_RODC) states that samba RODC acts as a proxy server to a writable DC if users are not member of the Allowed RODC Password Replication Group, which is the behavior we knew (and what we want) from the MS RODCs. Our test installation of the samba RODC acts different, users which are not members of the Allowed RODC Password Replication Group are not able to authenticate. The error messages are "winbind authentication for user xxx FAILED with error NT_STATUS_REQUEST_NOT_ACCEPTED, authoritative=1" and "repl secret disallowed for user xxx - not in allowed replication group", and they are gone as soon as the user is a member of the allow group. In the Samba admin book by Stefan Kania is written that users who are not in the allowed group are not able to authenticate via the RODC, which is the way our test installation acts. Should the samba RDOC act like the windows version or is it different by design? Thx.
Rowland Penny
2019-Mar-28 16:32 UTC
[Samba] Is RODC password replication different from the windows version by design or is it a bug?
On Thu, 28 Mar 2019 16:31:51 +0100 Adam Minski via samba <samba at lists.samba.org> wrote:> Hi, > > I've tried replacing some 2012R2 RODC by samba-4.9.4 RODCs. One > question about password replication: > > Samba wiki (https://wiki.samba.org/index.php/Join_a_domain_as_a_RODC) > states that samba RODC acts as a proxy server to a writable DC if > users are not member of the Allowed RODC Password Replication Group, > which is the behavior we knew (and what we want) from the MS RODCs.Samba when running as an AD computer tries to emulate a Windows AD computer, it isn't fully there yet, but from my understanding this should work.> Our test installation of the samba RODC acts different, users which > are not members of the Allowed RODC Password Replication Group are > not able to authenticate. The error messages are "winbind > authentication for user xxx FAILED with error > NT_STATUS_REQUEST_NOT_ACCEPTED, authoritative=1"From my understanding, if a RODC doesn't know a user, it should ask a RWDC> and "repl secret disallowed for user xxx - not in allowed replication group",Again, from my understanding, unless the user is in the 'Allowed RODC Password Replication Group', their password shouldn't be cached locally on a RODC, so that one is probably correct.> and they are gone as soon as the user is a member of the allow group. > > In the Samba admin book by Stefan Kania is written that users who are > not in the allowed group are not able to authenticate via the RODC, > which is the way our test installation acts. > > > Should the samba RDOC act like the windows version or is it different > by design? >Yes it should and there is a bug report for something similar already, see here: https://bugzilla.samba.org/show_bug.cgi?id=13377 I know that is for members of the denied group, but the substance is the same, users are not getting authenticated on a RODC from a RWDC. Can you please add to that bug report ? Rowland
Adam Minski
2019-Mar-29 09:16 UTC
[Samba] Is RODC password replication different from the windows version by design or is it a bug?
On 03/28/2019 05:32 PM, Rowland Penny via samba wrote: [...]>> Should the samba RDOC act like the windows version or is it different >> by design? >> > > Yes it should and there is a bug report for something similar already, > see here: https://bugzilla.samba.org/show_bug.cgi?id=13377 > > I know that is for members of the denied group, but the substance is > the same, users are not getting authenticated on a RODC from a RWDC. > > Can you please add to that bug report ? > > Rowland > >Thanks Rowland, that's exactly the topic. Garming Sam has commented it yesterday, the issue is that kerberos forwarding isn't implemented for now. That is exactly what wee seeing, authentication works __after__ (from the second attempt on) the initial password sync is done, the first attempt isn't proxied. Adam
Possibly Parallel Threads
- Is RODC password replication different from the windows version by design or is it a bug?
- Is RODC password replication different from the windows version by design or is it a bug?
- Is RODC password replication different from the windows version by design or is it a bug?
- Is RODC password replication different from the windows version by design or is it a bug?
- Is RODC password replication different from the windows version by design or is it a bug?