samba - Jun 2018 - Samba 4.8 RODC not working

On Wed, 13 Jun 2018 11:33:48 +0200 (CEST)
Gaetan SLONGO <gslongo at it-optics.com> wrote:
> 
> 
> 
> 
> Here it is. It talks about homes share but I think we don't care ?
> Final error is not explicit to me.. Maybe you? 
> 
> 
> 
> INFO: Current debug levels: 
> all: 10 
> tdb: 10 
> printdrivers: 10 
> lanman: 10 
> smb: 10 
> rpc_parse: 10 
> rpc_srv: 10 
> rpc_cli: 10 
> passdb: 10 
> sam: 10 
> auth: 10 
> winbind: 10 
> vfs: 10 
> idmap: 10 
> quota: 10 
> acls: 10 
> locking: 10 
> msdfs: 10 
> dmapi: 10 
> registry: 10 
> scavenger: 10 
> dns: 10 
> ldb: 10 
> tevent: 10 
> auth_audit: 10 
> auth_json_audit: 10 
> kerberos: 10 
> drs_repl: 10 
> smb2: 10 
> smb2_credits: 10 
> winbindd version 4.8.2-SerNet-RedHat-10.el7 started. 
> Copyright Andrew Tridgell and the Samba Team 1992-2018 
> lp_load_ex: refreshing parameters 
> Initialising global parameters 
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> (16384) INFO: Current debug levels: 
> all: 10 
> tdb: 10 
> printdrivers: 10 
> lanman: 10 
> smb: 10 
> rpc_parse: 10 
> rpc_srv: 10 
> rpc_cli: 10 
> passdb: 10 
> sam: 10 
> auth: 10 
> winbind: 10 
> vfs: 10 
> idmap: 10 
> quota: 10 
> acls: 10 
> locking: 10 
> msdfs: 10 
> dmapi: 10 
> registry: 10 
> scavenger: 10 
> dns: 10 
> ldb: 10 
> tevent: 10 
> auth_audit: 10 
> auth_json_audit: 10 
> kerberos: 10 
> drs_repl: 10 
> smb2: 10 
> smb2_credits: 10 
> Processing section "[global]" 
> doing parameter netbios name = DMZRODC 
> doing parameter realm = ADS.MYDOMAIN.BE 
> doing parameter server role = active directory domain controller 
> doing parameter workgroup = MYDOMAIN 
> doing parameter log level = 10 
> pm_process() returned Yes 
> lp_servicenumber: couldn't find homes 
> messaging_dgm_ref: messaging_dgm_init returned Succès 
> messaging_dgm_ref: unique = 11509548009454711159 
> Registering messaging pointer for type 2 - private_data=(nil) 
> Registering messaging pointer for type 9 - private_data=(nil) 
> Registered MSG_REQ_POOL_USAGE 
> Registering messaging pointer for type 11 - private_data=(nil) 
> Registering messaging pointer for type 12 - private_data=(nil) 
> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED 
> Registering messaging pointer for type 1 - private_data=(nil) 
> Registering messaging pointer for type 5 - private_data=(nil) 
> Registering messaging pointer for type 51 - private_data=(nil) 
> messaging_init_internal: my id: 13124 
> lp_load_ex: refreshing parameters 
> Freeing parametrics: 
> Initialising global parameters 
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> (16384) INFO: Current debug levels: 
> all: 10 
> tdb: 10 
> printdrivers: 10 
> lanman: 10 
> smb: 10 
> rpc_parse: 10 
> rpc_srv: 10 
> rpc_cli: 10 
> passdb: 10 
> sam: 10 
> auth: 10 
> winbind: 10 
> vfs: 10 
> idmap: 10 
> quota: 10 
> acls: 10 
> locking: 10 
> msdfs: 10 
> dmapi: 10 
> registry: 10 
> scavenger: 10 
> dns: 10 
> ldb: 10 
> tevent: 10 
> auth_audit: 10 
> auth_json_audit: 10 
> kerberos: 10 
> drs_repl: 10 
> smb2: 10 
> smb2_credits: 10 
> Processing section "[global]" 
> doing parameter netbios name = DMZRODC 
> doing parameter realm = ADS.MYDOMAIN.BE 
> doing parameter server role = active directory domain controller 
> doing parameter workgroup = MYDOMAIN 
> doing parameter log level = 10 
> pm_process() returned Yes 
> lp_servicenumber: couldn't find homes 
> added interface eth0 ip=192.168.19.5 bcast=192.168.19.255
> netmask=255.255.255.0 Netbios name list:- 
> my_netbios_names[0]="DMZRODC" 
> added interface eth0 ip=192.168.19.5 bcast=192.168.19.255
> netmask=255.255.255.0 exit_daemon: STATUS=daemon failed to start:
> Failed to create session, error code 1 
> 
> 
Not that it helps, but I have now notice why you want the RODC, you
want to do something stupid like putting it into a DMZ zone.
This is not recommended, it is a security risk.

If you must do this, then do you have a share in smb.conf called
'[homes]', if so, remove the trailing 's' i.e. make it
'[home]' and
read the wiki.

Running out of ideas now, except, can you ping a DC from the RODC ?

Rowland

Hi Rowland, 


I have no homes share. As far as I know I should not have that share on a DC ..?


Regarding the security consideration for a DMZ zone, what do you suggest instead
of putting a RODC in it ?


Note : Yes I can ping DC, there is no routing / firewalling issue (validated). 


Thanks 

----- Mail original -----

De: "Rowland Penny via samba" <samba at lists.samba.org> 
À: samba at lists.samba.org 
Envoyé: Mercredi 13 Juin 2018 12:17:49 
Objet : Re: [Samba] Samba 4.8 RODC not working 

On Wed, 13 Jun 2018 11:33:48 +0200 (CEST) 
Gaetan SLONGO <gslongo at it-optics.com> wrote: 
> 
> 
> 
> 
> Here it is. It talks about homes share but I think we don't care ? 
> Final error is not explicit to me.. Maybe you? 
> 
> 
> 
> INFO: Current debug levels: 
> all: 10 
> tdb: 10 
> printdrivers: 10 
> lanman: 10 
> smb: 10 
> rpc_parse: 10 
> rpc_srv: 10 
> rpc_cli: 10 
> passdb: 10 
> sam: 10 
> auth: 10 
> winbind: 10 
> vfs: 10 
> idmap: 10 
> quota: 10 
> acls: 10 
> locking: 10 
> msdfs: 10 
> dmapi: 10 
> registry: 10 
> scavenger: 10 
> dns: 10 
> ldb: 10 
> tevent: 10 
> auth_audit: 10 
> auth_json_audit: 10 
> kerberos: 10 
> drs_repl: 10 
> smb2: 10 
> smb2_credits: 10 
> winbindd version 4.8.2-SerNet-RedHat-10.el7 started. 
> Copyright Andrew Tridgell and the Samba Team 1992-2018 
> lp_load_ex: refreshing parameters 
> Initialising global parameters 
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit 
> (16384) INFO: Current debug levels: 
> all: 10 
> tdb: 10 
> printdrivers: 10 
> lanman: 10 
> smb: 10 
> rpc_parse: 10 
> rpc_srv: 10 
> rpc_cli: 10 
> passdb: 10 
> sam: 10 
> auth: 10 
> winbind: 10 
> vfs: 10 
> idmap: 10 
> quota: 10 
> acls: 10 
> locking: 10 
> msdfs: 10 
> dmapi: 10 
> registry: 10 
> scavenger: 10 
> dns: 10 
> ldb: 10 
> tevent: 10 
> auth_audit: 10 
> auth_json_audit: 10 
> kerberos: 10 
> drs_repl: 10 
> smb2: 10 
> smb2_credits: 10 
> Processing section "[global]" 
> doing parameter netbios name = DMZRODC 
> doing parameter realm = ADS.MYDOMAIN.BE 
> doing parameter server role = active directory domain controller 
> doing parameter workgroup = MYDOMAIN 
> doing parameter log level = 10 
> pm_process() returned Yes 
> lp_servicenumber: couldn't find homes 
> messaging_dgm_ref: messaging_dgm_init returned Succès 
> messaging_dgm_ref: unique = 11509548009454711159 
> Registering messaging pointer for type 2 - private_data=(nil) 
> Registering messaging pointer for type 9 - private_data=(nil) 
> Registered MSG_REQ_POOL_USAGE 
> Registering messaging pointer for type 11 - private_data=(nil) 
> Registering messaging pointer for type 12 - private_data=(nil) 
> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED 
> Registering messaging pointer for type 1 - private_data=(nil) 
> Registering messaging pointer for type 5 - private_data=(nil) 
> Registering messaging pointer for type 51 - private_data=(nil) 
> messaging_init_internal: my id: 13124 
> lp_load_ex: refreshing parameters 
> Freeing parametrics: 
> Initialising global parameters 
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit 
> (16384) INFO: Current debug levels: 
> all: 10 
> tdb: 10 
> printdrivers: 10 
> lanman: 10 
> smb: 10 
> rpc_parse: 10 
> rpc_srv: 10 
> rpc_cli: 10 
> passdb: 10 
> sam: 10 
> auth: 10 
> winbind: 10 
> vfs: 10 
> idmap: 10 
> quota: 10 
> acls: 10 
> locking: 10 
> msdfs: 10 
> dmapi: 10 
> registry: 10 
> scavenger: 10 
> dns: 10 
> ldb: 10 
> tevent: 10 
> auth_audit: 10 
> auth_json_audit: 10 
> kerberos: 10 
> drs_repl: 10 
> smb2: 10 
> smb2_credits: 10 
> Processing section "[global]" 
> doing parameter netbios name = DMZRODC 
> doing parameter realm = ADS.MYDOMAIN.BE 
> doing parameter server role = active directory domain controller 
> doing parameter workgroup = MYDOMAIN 
> doing parameter log level = 10 
> pm_process() returned Yes 
> lp_servicenumber: couldn't find homes 
> added interface eth0 ip=192.168.19.5 bcast=192.168.19.255 
> netmask=255.255.255.0 Netbios name list:- 
> my_netbios_names[0]="DMZRODC" 
> added interface eth0 ip=192.168.19.5 bcast=192.168.19.255 
> netmask=255.255.255.0 exit_daemon: STATUS=daemon failed to start: 
> Failed to create session, error code 1 
> 
> 
Not that it helps, but I have now notice why you want the RODC, you 
want to do something stupid like putting it into a DMZ zone. 
This is not recommended, it is a security risk. 

If you must do this, then do you have a share in smb.conf called 
'[homes]', if so, remove the trailing 's' i.e. make it
'[home]' and
read the wiki. 

Running out of ideas now, except, can you ping a DC from the RODC ? 

Rowland 

-- 
To unsubscribe from this list go to the following URL and read the 
instructions: https://lists.samba.org/mailman/options/samba 



-- 




www.it-optics.com 
	
Gaëtan SLONGO | Head of Infrastructure Department 
Boulevard Initialis, 28 - 7000 Mons, BELGIUM 
Company : 	+32 (0)65 84 23 85 
Direct : 	+32 (0)65 32 85 88 
Fax : 	+32 (0)65 84 66 76 
Skype ID : 	gslongo.pro 
GPG Key : 	gslongo-gpg_key.asc 
	

- Please consider your environmental responsibility before printing this e-mail
-

On Wed, 13 Jun 2018 12:28:23 +0200 (CEST)
Gaetan SLONGO <gslongo at it-optics.com> wrote:
> Hi Rowland, 
> 
> 
> I have no homes share. As far as I know I should not have that share
> on a DC ..?
Then don't worry about it, I was just checking if you had one.
> 
> 
> Regarding the security consideration for a DMZ zone, what do you
> suggest instead of putting a RODC in it ? 
The real question is, why do you want to put your AD into a DMZ ?
I suggest you read this:

https://www.linkedin.com/pulse/active-directory-dmz-nuts-marcus-rivera
> 
> Note : Yes I can ping DC, there is no routing / firewalling issue
> (validated). 
Then I fall back to, you need more help than this list can provide,
contact Sernet or Tranquil IT or anybody who knows Linux and Samba and
can spend time (and your money) on this problem. 

Rowland