The Samba-Bugzilla – Bug 13879
Simple bind doesn't work against an RODC (with non-preloaded users)
Last modified: 2019-08-08 10:13:25 UTC
It's unclear whether or not this has been broken for a long time or not, but in Samba 4.10, this doesn't work.
source3/winbindd/winbindd_irpc.c - wb_irpc_SamLogon
Returns NT_STATUS_REQUEST_NOT_ACCEPTED for non-UPN bind DNs (due to a missing target domain).
There appears to be crude handling of UPNs in wb_irpc_SamLogon which allows these to be forwarded onto winbind, however, there are some minor issues in winbind which prevent the authentication from succeeding (still).
How to correct the non-UPN DN bind isn't exactly clear currently. Somewhere in the stack, the name needs to be re-cracked, or the mapped name needs to be plumbed through (possibly with a flag).
Created attachment 15032 [details]
Test that fails currently
Here is a quick attempt at a test, note that this uses the standard user DN (there probably needs to be a test using the UPN). I'm not sure that this test actually works properly (and will work once simple binds are fixed), but at least it shows that this fails.