samba - Mar 2015 - Joining a samba member server using offline join or a RODC

Hi,

I would like to join a samba 4.2.0 file server sitting in a branch
office, with connection only to a RODC (and only the RODC can talk to
the RWDC). Was wondering what's the workflow for doing this in samba.

For Windows machines, Microsoft seems to have planned two workflows for this:

1. Use new  flag to NetJoinDomain() API to join using the RODC
(https://technet.microsoft.com/en-us/library/dd728035%28v=ws.10%29.aspx#run_join_script).
With this workflow, the machine account is created on the domain, then
what seems to happen is that admin credentials towards the RODC are
being used to fetch the machine account secret and install it on the
joining member.

2. Offline domain join
(https://technet.microsoft.com/en-us/library/dd392267.aspx) - with
this workflow, the machine account on the domain is created manually,
then shared secret exported to a BLOB which is installed on the
joining server.

Thanks,
Uri.

Hi Uri,
> I would like to join a samba 4.2.0 file server sitting in a branch
> office, with connection only to a RODC (and only the RODC can talk to
> the RWDC). Was wondering what's the workflow for doing this in samba.
>
> For Windows machines, Microsoft seems to have planned two workflows for
this:
>
> 1. Use new  flag to NetJoinDomain() API to join using the RODC
>
(https://technet.microsoft.com/en-us/library/dd728035%28v=ws.10%29.aspx#run_join_script).
> With this workflow, the machine account is created on the domain, then
> what seems to happen is that admin credentials towards the RODC are
> being used to fetch the machine account secret and install it on the
> joining member.
>
> 2. Offline domain join
> (https://technet.microsoft.com/en-us/library/dd392267.aspx) - with
> this workflow, the machine account on the domain is created manually,
> then shared secret exported to a BLOB which is installed on the
> joining server.
the offline join scenario works fine with a samba4 setup. You just have 
to join a temporary VM with the remote server name on the hub site, 
rsync the private directory and smb.conf to your remote server and 
preload the machine account on the rodc.

Cheers,

Denis

>
> Thanks,
> Uri.
>
-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, b?timent A
12 avenue Jules Verne
44230 Saint S?bastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr

Thanks for the quick response!

Uri.

On Mon, Mar 16, 2015 at 12:27 PM, Denis Cardon
<denis.cardon at tranquil-it-systems.fr> wrote:
> Hi Uri,
>
>
>> I would like to join a samba 4.2.0 file server sitting in a branch
>> office, with connection only to a RODC (and only the RODC can talk to
>> the RWDC). Was wondering what's the workflow for doing this in
samba.
>>
>> For Windows machines, Microsoft seems to have planned two workflows for
>> this:
>>
>> 1. Use new  flag to NetJoinDomain() API to join using the RODC
>>
<snip>
>>
>> 2. Offline domain join
<snip>
>> joining server.
>
>
> the offline join scenario works fine with a samba4 setup. You just have to
> join a temporary VM with the remote server name on the hub site, rsync the
> private directory and smb.conf to your remote server and preload the
machine
> account on the rodc.
>
> Cheers,
>
> Denis
>
>
>>
>> Thanks,
>> Uri.
>>
>
> --
> Denis Cardon
> Tranquil IT Systems
> Les Espaces Jules Verne, b?timent A
> 12 avenue Jules Verne
> 44230 Saint S?bastien sur Loire
> tel : +33 (0) 2.40.97.57.55
> http://www.tranquil-it-systems.fr
>