samba - Feb 2021 - RODC in remote Site

Hello All,
sorry for the long post...
I have deployed a RODC in a remote site. The Site and the subnet were 
already created but had no DC. I have set up the RODC as I would a 
normal DC. This is on Contos 8 with Sernet packages. And did a join like 
this:

samba-tool domain join HQ.DOMAIN.DE RODC --site=DMZ 
--dns-backend=BIND9_DLZ -U"DOMAIN-02\Administrator"

This completed successfully. The RODC was created in the Sites and 
Services app. The replication with one DC is also listed there.



This is the smb.conf

-------------------------------------------------------------------
[global]
           netbios name = RODC
           realm = HQ.DOMAIN.DE
           server role = active directory domain controller
           server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
drepl, winbindd, ntp_signd, kcc, dnsupdate
           workgroup = DOMAIN-02
           prefork children = 8
           idmap_ldb:use rfc2307 = yes
           template shell = /bin/bash
           template homedir = /home/%U
           restrict anonymous = 2
           disable netbios = yes
           smb ports = 445
           server min protocol = SMB2
           client min protocol = SMB2
           tls enabled  = yes
           tls keyfile  = tls/server_de.key
           tls certfile = tls/server.pem
           tls cafile   = tls/ca.pem
           kerberos method = secrets and keytab
           dedicated keytab file = /etc/krb5.keytab
           printcap name = /dev/null
           load printers = no
           disable spoolss = yes
           printing = bsd

[sysvol]
           path = /var/lib/samba/sysvol
           read only = No

[netlogon]
           path = /var/lib/samba/sysvol/hq.DOMAIN.DE/scripts
           read only = No



This the krb.conf. kinit Administrator works and gets a ticket.

-------------------------------------------------------------------
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = HQ.DOMAIN.DE
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_ccache_name = KEYRING:persistent:%{uid}
-------------------------------------------------------------------

I can preload users:

[root at rodc ~]# samba-tool rodc preload cn --server=dc2
Replicating DN CN=cn,CN=Users,DC=hq,DC=domain,DC=de
Exop on[CN=cn,CN=Users,DC=hq,DC=domain,DC=de] objects[1] linked_values[1]


The DNS A entry and the CNAME for GUID were created during the Join. THe 
other entries did not get created. So I run samba_dnsupdate:
I tried this with Bind and the internal DNS. This is the output from the 
internal DNS.

[root at rodc ~]# samba_dnsupdate --verbose  --all-names
IPs: ['10.1.0.77']
force update: A rodc.hq.DOMAIN.DE 10.1.0.77
force update: CNAME 
50e4a341-c677-4562-a055-cefd7686ce68._msdcs.hq.DOMAIN.DE rodc.hq.DOMAIN.DE
force update: SRV _ldap._tcp.DMZ._sites.hq.DOMAIN.DE rodc.hq.DOMAIN.DE 389
force update: SRV _ldap._tcp.DMZ._sites.dc._msdcs.hq.DOMAIN.DE 
rodc.hq.DOMAIN.DE 389
force update: SRV _kerberos._tcp.DMZ._sites.hq.DOMAIN.DE 
rodc.hq.DOMAIN.DE 88
force update: SRV _kerberos._tcp.DMZ._sites.dc._msdcs.hq.DOMAIN.DE 
rodc.hq.DOMAIN.DE 88
force update: SRV _gc._tcp.DMZ._sites.hq.DOMAIN.DE rodc.hq.DOMAIN.DE 3268
force update: SRV _ldap._tcp.DMZ._sites.gc._msdcs.hq.DOMAIN.DE 
rodc.hq.DOMAIN.DE 3268
8 DNS updates and 0 DNS deletes needed
Successfully obtained Kerberos ticket to DNS/dc2.hq.DOMAIN.DE as RODC$
update (nsupdate): A rodc.hq.DOMAIN.DE 10.1.0.77
Calling nsupdate for A rodc.hq.DOMAIN.DE 10.1.0.77 (add)
Successfully obtained Kerberos ticket to DNS/dc2.hq.DOMAIN.DE as RODC$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
rodc.hq.DOMAIN.DE. 900	IN	A	10.1.0.77

update failed: REFUSED
Failed nsupdate: 2
update (rodc): CNAME 
50e4a341-c677-4562-a055-cefd7686ce68._msdcs.hq.DOMAIN.DE rodc.hq.DOMAIN.DE
Calling netlogon RODC update for CNAME 
50e4a341-c677-4562-a055-cefd7686ce68._msdcs.hq.DOMAIN.DE rodc.hq.DOMAIN.DE
Error setting DNS entry of type 28: CNAME 50e4a341-c677net ads keytab 
create -k yes-4562-a055-cefd7686ce68._msdcs.hq.DOMAIN.DE 
rodc.hq.DOMAIN.DE: (3221225506, '{Access Denied} A process has requested 
access to an object but has not been granted those access rights.')
Called netlogon RODC update for CNAME 
50e4a341-c677-4562-a055-cefd7686ce68._msdcs.hq.DOMAIN.DE rodc.hq.DOMAIN.DE
update (rodc): SRV _ldap._tcp.DMZ._sites.hq.DOMAIN.DE rodc.hq.DOMAIN.DE 389
Calling netlogon RODC update for SRV _ldap._tcp.DMZ._sites.hq.DOMAIN.DE 
rodc.hq.DOMAIN.DE 389
Error setting DNS entry of type 22: SRV 
_ldap._tcp.DMZ._sites.hq.DOMAIN.DE rodc.hq.DOMAIN.DE 389: (3221225506, 
'{Access Denied} A process has requested access to an object but has not 
been granted those access rights.')
Called netlogon RODC update for SRV _ldap._tcp.DMZ._sites.hq.DOMAIN.DE 
rodc.hq.DOMAIN.DE 389
update (rodc): SRV _ldap._tcp.DMZ._sites.dc._msdcs.hq.DOMAIN.DE 
rodc.hq.DOMAIN.DE 389
Calling netlogon RODC update for SRV 
_ldap._tcp.DMZ._sites.dc._msdcs.hq.DOMAIN.DE rodc.hq.DOMAIN.DE 389
Error setting DNS entry of type 32: SRV 
_ldap._tcp.DMZ._sites.dc._msdcs.hq.DOMAIN.DE rodc.hq.DOMAIN.DE 389: 
(3221225506, '{Access Denied} A process has requested access to an 
object but has not been granted those access rights.')
Called netlogon RODC update for SRV 
_ldap._tcp.DMZ._sites.dc._msdcs.hq.DOMAIN.DE rodc.hq.DOMAIN.DE 389
update (rodc): SRV _kerberos._tcp.DMZ._sites.hq.DOMAIN.DE 
rodc.hq.DOMAIN.DE 88
Calling netlogon RODC update for SRV 
_kerberos._tcp.DMZ._sites.hq.DOMAIN.DE rodc.hq.DOMAIN.DE 88
Error setting DNS entry of type 34: SRV 
_kerberos._tcp.DMZ._sites.hq.DOMAIN.DE rodc.hq.DOMAIN.DE 88: 
(3221225506, '{Access Denied} A process has requested access to an 
object but has not been granted those access rights.')
Called netlogon RODC update for SRV 
_kerberos._tcp.DMZ._sites.hq.DOMAIN.DE rodc.hq.DOMAIN.DE 88
update (rodc): SRV _kerberos._tcp.DMZ._sites.dc._msdcs.hq.DOMAIN.DE 
rodc.hq.DOMAIN.DE 88
Calling netlogon RODC update for SRV 
_kerberos._tcp.DMZ._sites.dc._msdcs.hq.DOMAIN.DE rodc.hq.DOMAIN.DE 88
Error setting DNS entry of type 30: SRV 
_kerberos._tcp.DMZ._sites.dc._msdcs.hq.DOMAIN.DE rodc.hq.DOMAIN.DE 88: 
(3221225506, '{Access Denied} A process has requested access to an 
object but has not been granted those access rights.')
Called netlogon RODC update for SRV 
_kerberos._tcp.DMZ._sites.dc._msdcs.hq.DOMAIN.DE rodc.hq.DOMAIN.DE 88
update (rodc): SRV _gc._tcp.DMZ._sites.hq.DOMAIN.DE rodc.hq.DOMAIN.DE 3268
update (rodc): SRV _ldap._tcp.DMZ._sites.gc._msdcs.hq.DOMAIN.DE 
rodc.hq.DOMAIN.DE 3268
Failed update of 6 entries


During the run of samba_dnsupdate I see several of these in the logs:


Feb 13 10:56:59 rodc.hq.DOMAIN.DE winbindd[1794]: [2021/02/13 
10:56:59.766999,  1] 
../../source3/winbindd/winbindd_cm.c:1281(cm_prepare_connection)
Feb 13 10:56:59 rodc.hq.DOMAIN.DE winbindd[1794]:   failed tcon_X with 
NT_STATUS_ACCESS_DENIED
Feb 13 10:56:59 rodc.hq.DOMAIN.DE winbindd[1794]: [2021/02/13 
10:56:59.767285,  1] 
../../source3/winbindd/winbindd_cm.c:1310(cm_prepare_connection)
Feb 13 10:56:59 rodc.hq.DOMAIN.DE winbindd[1794]:   Failed to prepare 
SMB connection to dc1.hq.DOMAIN.DE: NT_STATUS_ACCESS_DENIED


And on the DC where it is trying to update I see this:


Feb 13 10:56:59 dc2.hq.DOMAIN.DE named[944332]: samba_dlz: starting 
transaction on zone hq.DOMAIN.DE
Feb 13 10:56:59 dc2.hq.DOMAIN.DE named[944332]: samba_dlz: disallowing 
update of signer=RODC\$\@HQ.DOMAIN.DE name=rodc.hq.DOMAIN.DE type=A 
error=insufficient access rights
Feb 13 10:56:59 dc2.hq.DOMAIN.DE named[944332]: client @0x7f39e4dccc30 
10.1.0.77#42255/key RODC\$\@HQ.DOMAIN.DE: updating zone 
'hq.DOMAIN.DE/NONE': update failed: rejected by secure update (REFUSED)
Feb 13 10:56:59 dc2.hq.DOMAIN.DE named[944332]: samba_dlz: cancelling 
transaction on zone hq.DOMAIN.DE



So I created the missing DNS entries (except for the global catalog ones):

samba-tool dns add DC1 _msdcs.hq.DOMAIN.DE 
_ldap._tcp.DMZ._sites.dc._msdcs.hq.DOMAIN.DE SRV 'RODC.hq.DOMAIN.DE 389 
0 100'
samba-tool dns add DC1 _msdcs.hq.DOMAIN.DE 
_kerberos._tcp.DMZ._sites.dc._msdcs.hq.DOMAIN.DE SRV 'RODC.hq.DOMAIN.DE 
88 0 100'

samba-tool dns add DC1 hq.DOMAIN.DE _ldap._tcp.DMZ._sites.hq.DOMAIN.DE 
SRV 'RODC.hq.DOMAIN.DE 389 0 100'
samba-tool dns add DC1 hq.DOMAIN.DE 
_kerberos._tcp.DMZ._sites.hq.DOMAIN.DE SRV 'RODC.hq.DOMAIN.DE 88 0 100'


Replication seems to work (no error on the DC that does this). And I get 
this on the RODC:

[root at rodc ~]# samba-tool drs showrepl -U Administrator
Password for [DOMAIN-02\Administrator]:
DMZ\RODC
DSA Options: 0x00000025
DSA object GUID: 50e4a341-c677-4562-a055-cefd7686ce68
DSA invocationId: 3e623f57-345a-4af1-9998-ccc5cf21f387

==== INBOUND NEIGHBORS ===
==== OUTBOUND NEIGHBORS ===
==== KCC CONNECTION OBJECTS ===
Connection --
	Connection name: RODC Connection (FRS)
	Enabled        : TRUE
	Server DNS name : dc2.hq.domain.de
	Server DN name  : CN=NTDS 
Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hq,DC=domain,DC=de
		TransportType: RPC
		options: 0x00000041
Warning: No NC replicated for Connection!


I can wbinfo -u/-g and get all infos. I can auth with wbinfo -a all 
users that are preloaded and are in "Allowed RODC Password Replication 
Group". However, if a user is not preloaded auth fails.


[root at rodc ~]# wbinfo -a bir
Enter bir's password:
plaintext password authentication failed
Could not authenticate user bir with plaintext password
Enter bir's password:
challenge/response password authentication failed
wbcAuthenticateUserEx(DOMAIN-02\bir): error code was 
NT_STATUS_ACCESS_DENIED (0xc0000022, authoritative=0)
error message was: {Access Denied} A process has requested access to an 
object but has not been granted those access rights.
Could not authenticate user bir with challenge/response

While in the logs I see many of this:

Feb 15 15:43:30 rodc.hq.domain.de winbindd[34442]: [2021/02/15 
15:43:30.146704,  1] 
../../source3/winbindd/winbindd_cm.c:1310(cm_prepare_connection)
Feb 15 15:43:30 rodc.hq.domain.de winbindd[34442]:   Failed to prepare 
SMB connection to dc2.hq.domain.de: NT_STATUS_ACCESS_DENIED

And finally this:

Feb 15 15:43:30 rodc.hq.domain.de winbindd[34442]: [2021/02/15 
15:43:30.147548,  2] 
../../auth/auth_log.c:653(log_authentication_event_human_readable)
Feb 15 15:43:30 rodc.hq.domain.de winbindd[34442]:   Auth: 
[winbind,NTLM_AUTH, wbinfo, 34390] user [DOMAIN-02]\[bir] at [Mon, 15 
Feb 2021 15:43:30.147532 CET] with [NTLMv2] status 
[NT_STATUS_ACCESS_DENIED] workstation [RODC] remote host [unix:] mapped 
to [(null)]\[(null)]. local host [unix:]


This works if the user is preladed.

Is I run this:

net ads keytab create -k yes

nothing happens. No Error and no keytab is created.


Anyone have an Idea what to try? Or should I leave and join again?

Regards


Chrsitian

-- 
Dr. Christian Naumer
Vice President
Unit Head Bioprocess Development

B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
phone +49-6251-9331-30 / fax +49-6251-9331-11

Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Adriaan Moelker (Vorstandsvorsitzender), 
Lukas Linnig
Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen

On 15/02/2021 14:48, cn--- via samba wrote:
> Hello All,
> sorry for the long post...
> I have deployed a RODC in a remote site. The Site and the subnet were 
> already created but had no DC. I have set up the RODC as I would a 
> normal DC. This is on Contos 8 with Sernet packages. And did a join 
> like this:
>
> samba-tool domain join HQ.DOMAIN.DE RODC --site=DMZ 
> --dns-backend=BIND9_DLZ -U"DOMAIN-02\Administrator"
>
> This completed successfully. The RODC was created in the Sites and 
> Services app. The replication with one DC is also listed there.

Do you have 'dns.keytab' in /var/lib/samba/bind-dns/ ?

If you don't (I am willing to bet you don't), run
'samba_upgradedns' and
downgrade to the internal dns server, then run it again, but add 
'--dns-backend=BIND9_DLZ'. This will upgrade you to the Bind9 dns server
again, but this time with the 'dns.keytab' in the correct location.

Rowland

Am 15.02.21 um 15:48 schrieb cn--- via samba:
> I can wbinfo -u/-g and get all infos. I can auth with wbinfo -a all 
> users that are preloaded and are in "Allowed RODC Password Replication
> Group". However, if a user is not preloaded auth fails.
> 
> 
> [root at rodc ~]# wbinfo -a bir
> Enter bir's password:
> plaintext password authentication failed
> Could not authenticate user bir with plaintext password
> Enter bir's password:
> challenge/response password authentication failed
> wbcAuthenticateUserEx(DOMAIN-02\bir): error code was 
> NT_STATUS_ACCESS_DENIED (0xc0000022, authoritative=0)
> error message was: {Access Denied} A process has requested access to an 
> object but has not been granted those access rights.
> Could not authenticate user bir with challenge/response
> 
> While in the logs I see many of this:
> 
> Feb 15 15:43:30 rodc.hq.domain.de winbindd[34442]: [2021/02/15 
> 15:43:30.146704,? 1] 
> ../../source3/winbindd/winbindd_cm.c:1310(cm_prepare_connection)
> Feb 15 15:43:30 rodc.hq.domain.de winbindd[34442]:?? Failed to prepare 
> SMB connection to dc2.hq.domain.de: NT_STATUS_ACCESS_DENIED
> 
> And finally this:
> 
> Feb 15 15:43:30 rodc.hq.domain.de winbindd[34442]: [2021/02/15 
> 15:43:30.147548,? 2] 
> ../../auth/auth_log.c:653(log_authentication_event_human_readable)
> Feb 15 15:43:30 rodc.hq.domain.de winbindd[34442]:?? Auth: 
> [winbind,NTLM_AUTH, wbinfo, 34390] user [DOMAIN-02]\[bir] at [Mon, 15 
> Feb 2021 15:43:30.147532 CET] with [NTLMv2] status 
> [NT_STATUS_ACCESS_DENIED] workstation [RODC] remote host [unix:] mapped 
> to [(null)]\[(null)]. local host [unix:]
> 
> 
> This works if the user is preladed.
Lets focus on this one. Should an RODC be able to auth any user 
regardless if they are in the Allowed RODC Password Replication Group? 
As far as I understood any users not in that group are then passed to 
normal DC to auth. Is this correct?

Regards

-- 
Dr. Christian Naumer
Vice President
Unit Head Bioprocess Development

B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
phone +49-6251-9331-30 / fax +49-6251-9331-11

Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Adriaan Moelker (Vorstandsvorsitzender), 
Lukas Linnig
Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen

On Mon, 2021-02-15 at 15:48 +0100, cn--- via samba
wrote:
> Hello All,
> sorry for the long post...
> I have deployed a RODC in a remote site. The Site and the subnet
> were 
> already created but had no DC. I have set up the RODC as I would a 
> normal DC. This is on Contos 8 with Sernet packages. And did a join
> like 
> this:
> 
> samba-tool domain join HQ.DOMAIN.DE RODC --site=DMZ 
> --dns-backend=BIND9_DLZ -U"DOMAIN-02\Administrator"
> 
> This completed successfully. The RODC was created in the Sites and 
> Services app. The replication with one DC is also listed there.
> 
So good so far.
> I can preload users:
> 
> [root at rodc ~]# samba-tool rodc preload cn --server=dc2
> Replicating DN CN=cn,CN=Users,DC=hq,DC=domain,DC=de
> Exop on[CN=cn,CN=Users,DC=hq,DC=domain,DC=de] objects[1]
> linked_values[1]
This shows that the password of the RODC is correct in the domain,
which makes this strange:
> I can wbinfo -u/-g and get all infos. I can auth with wbinfo -a all 
> users that are preloaded and are in "Allowed RODC Password
> Replication 
> Group". However, if a user is not preloaded auth fails.
> 
> 
> [root at rodc ~]# wbinfo -a bir
> Enter bir's password:
> plaintext password authentication failed
> Could not authenticate user bir with plaintext password
> Enter bir's password:
> challenge/response password authentication failed
> wbcAuthenticateUserEx(DOMAIN-02\bir): error code was 
> NT_STATUS_ACCESS_DENIED (0xc0000022, authoritative=0)
> error message was: {Access Denied} A process has requested access to
> an 
> object but has not been granted those access rights.
> Could not authenticate user bir with challenge/response
> 
> While in the logs I see many of this:
> 
> Feb 15 15:43:30 rodc.hq.domain.de winbindd[34442]: [2021/02/15 
> 15:43:30.146704,  1] 
> ../../source3/winbindd/winbindd_cm.c:1310(cm_prepare_connection)
> Feb 15 15:43:30 rodc.hq.domain.de winbindd[34442]:   Failed to
> prepare 
> SMB connection to dc2.hq.domain.de: NT_STATUS_ACCESS_DENIED
This is the bit that will need further diagnosis.  It isn't as simple
wrong password, it will be something about how to connection is being
set up to DC2.
> And finally this:
> 
> Feb 15 15:43:30 rodc.hq.domain.de winbindd[34442]: [2021/02/15 
> 15:43:30.147548,  2] 
> ../../auth/auth_log.c:653(log_authentication_event_human_readable)
> Feb 15 15:43:30 rodc.hq.domain.de winbindd[34442]:   Auth: 
> [winbind,NTLM_AUTH, wbinfo, 34390] user [DOMAIN-02]\[bir] at [Mon,
> 15 
> Feb 2021 15:43:30.147532 CET] with [NTLMv2] status 
> [NT_STATUS_ACCESS_DENIED] workstation [RODC] remote host [unix:]
> mapped 
> to [(null)]\[(null)]. local host [unix:]
I would turn up the logs on the DC and see why it objects.
> This works if the user is preladed.
yes, because a preloaded user is locally cached.
> Is I run this:
> 
> net ads keytab create -k yes
> 
> nothing happens. No Error and no keytab is created.
net ads keytab isn't a supported part of the AD DC, this is tied to the
member server codebase and isn't hooked in to the DC credentials.

Likewise the 'use kerberos keytab' and similar smb.conf entries are not
used in the AD DC mode.

I hope this helps you figure out what is going on here.

Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions