search for: myrodc

...;> authoritative=1 > Hmm. Are you sure the RODC's join to the domain is all OK? Certainly to me it looks ok: Finding a writeable DC for domain 'my.domain.com' Found DC dc.my.domain.com Password for [MYDOMAIN\Administrator]: workgroup is MYDOMAIN realm is my.domain.com Deleted CN=MYRODC,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=my,DC=domain,DC=com Adding CN=MYRODC,OU=Domain Controllers,DC=my,DC=domain,DC=com Adding CN=krbtgt_MYRODC,CN=Users,DC=my,DC=domain,DC=com Got krbtgt_name=krbtgt_38921 Renaming CN=krbtgt_MYRODC,CN=Users,DC=my,DC=domain,DC=com to CN=krbtgt_38921,CN=Us...

That was exactly what I was looking for. I hope 4.8 should not be too far away... ;) In the meantime I found this in the logs at level 2: [2018/01/22 21:15:50.010307,  3] ../source4/auth/ntlm/auth.c:240(auth_check_password_send)   auth_check_password_send: Checking password for unmapped user [(null)]\[cn=LDAP,cn=Users,dc=my,dc=domain,dc=com]@[(null)]   auth_check_password_send: user is: