On Tue, 3 Dec 2024 11:25:35 +0100
Mitja Tav?ar via samba <samba at lists.samba.org> wrote:
> Il 03/12/24 10:13, Rowland Penny via samba ha scritto:
> > On Tue, 3 Dec 2024 09:15:36 +0100
> > Mitja Tav?ar via samba <samba at lists.samba.org> wrote:
> >
> >> Hi, i have some problems with a recently joined Read Only Domain
> >> controller.
> >>
> >> I had 2 Domain Controllers based on Windows Server 2019 (hosts
> >> vmw2srvdc1 an vmw2srvdc2). I and i recently added a new site (PSN)
> >> and Read Only DC in this second site based on samba (host
lvsrvdc).
> >
> > I know that RODCs sound like a good idea, except for two things,
> > they were only really designed for a small site user base, but more
> > importantly, what happens if the site link goes down for any
> > considerable period ?
>
> This is the first time we have used a RODC; our choice was more of a
> security-oriented one. The remote site should have about 30 servers,
When you say '30 servers' is this 30 servers plus clients, or 30
servers including clients ? if the former, then I suggest you upgrade
to an RWDC.
> and we consider the connection to be sufficiently reliable and
> redundant. It is possible since there was some moment of
> disconnection between the various domain controllers while we were
> fixing the firewalling rules but not prolonged for hours.
The problem with an RODC is that it cannot change anything, any changes
have to be sent to another RWDC and then replicated back, any unknown
users and groups etc. have to be checked with an RWDC and then cached.
If the site link is broken, then only accounts that are cached are
known to the RODC.
>
> > You also haven't told us what Linux distro you are using and how
you
> > set up the RODC and fileserver, what is in their smb.conf files for
> > instance ?
>
> All samba servers are debian12 samba on domain members is
> 4.17.12-Debian while on RODC is backports version
> 4.21.1-Debian-4.21.1+dfsg-2~bpo12+1
It might be worth considering upgrading the domain members.
>
> The smb.conf of RODC was generate at join time:
>
> # Global parameters
> [global]
> dns forwarder = 8.8.8.8 8.8.4.4
> netbios name = LVSRVDC
> realm = INTRA.COMUNE.TRENTO.IT
> server role = active directory domain controller
> workgroup = INTRA
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> [netlogon]
> path = /var/lib/samba/sysvol/intra.comune.trento.it/scripts
> read only = No
>
> This is one of the fileservers smb.conf.
>
> [global]
> realm = INTRA.COMUNE.TRENTO.IT
> workgroup = INTRA
> security = ADS
> local master = no
> domain master = no
> preferred master = no
> mangling method = hash2
You do not really need the 4 parameters above.
> server string = File server psn-lvsrv39
>
> idmap config * : backend = tdb
> idmap config * : range = 1000000-2000000
Why have you set the default (*) range for 1 million accounts ?
It is meant for the Well Known SIDs (there are less than two hundred of
those) and anything outside the 'INTRA' domain (so '0' really).
Also why have you put it above the 'INTRA' domain, if your domain grows
large enough (not likely in your case) you will have a problem.
> idmap config INTRA : backend = rid
> idmap config INTRA : range = 10000-99999
>
> template shell = /bin/bash
> template homedir = /home/%D/%U
> winbind use default domain = no
>
> winbind enum users = Yes
> winbind enum groups = Yes
You do not need the 'winbind enum' lines for winbind to work, in fact,
if your domain is large enough, they are an hindrance, when ever you
ask for a user or group, ever user or group must be looked up.
> winbind expand groups = 2
>
> server min protocol = NT1
Is there a reason to use SMBv1, do you still have clients that require
it ? these are usually a very large expensive piece of equipment with a
builtin computer that cannot be updated.
You mentioned that the domain member looses its account after a few
hours, is there a pattern to this ?
Are you running anything else on the computer that may be relevant,
sssd for instance ?
Rowland