2 files changed, 5 insertions, 2 deletions

diff --git a/selftest/knownfail b/selftest/knownfail
index 76578c9517a..c6047c85445 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -335,4 +335,3 @@
 # We currently don't send referrals for LDAP modify of non-replicated attrs
 ^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.*
 ^samba4.ldap.rodc_rwdc.python.*.__main__.RodcRwdcTests.test_change_password_reveal_on_demand_kerberos
-^samba4.ldap.rodc_rwdc.python.*.__main__.RodcRwdcTests.test_change_password_reveal_on_demand_ntlm
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index cfe7455501b..0b175b5ecc7 100644
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -174,6 +174,7 @@ static NTSTATUS authsam_password_check_and_record(struct auth4_context *auth_con
 	struct ldb_message *dom_msg;
 	struct samr_Password *lm_pwd;
 	struct samr_Password *nt_pwd;
+	bool am_rodc;
 
 	tmp_ctx = talloc_new(mem_ctx);
 	if (tmp_ctx == NULL) {
@@ -196,7 +197,6 @@ static NTSTATUS authsam_password_check_and_record(struct auth4_context *auth_con
 	}
 
 	if (lm_pwd == NULL && nt_pwd == NULL) {
-		bool am_rodc;
 		if (samdb_rodc(auth_context->sam_ctx, &am_rodc) == LDB_SUCCESS && am_rodc) {
 			/*
 			 * we don't have passwords for this
@@ -458,6 +458,10 @@ static NTSTATUS authsam_password_check_and_record(struct auth4_context *auth_con
 			  nt_errstr(nt_status)));
 	}
 
+	if (samdb_rodc(auth_context->sam_ctx, &am_rodc) == LDB_SUCCESS && am_rodc) {
+		*authoritative = false;
+	}
+
 	TALLOC_FREE(tmp_ctx);
 	return NT_STATUS_WRONG_PASSWORD;
 }