thr3ads.net - samba - [Samba] setting up a RODC [Aug 2018]

If this information is useful, please help other people find it:
Share via:

Andrej Gessel

2018-Aug-07 15:13 UTC

[Samba] setting up a RODC

Hello Stefan,

you need to use "-U" with user from Domain Admin group(maybe it works 
with other users too, but I didn't test it).


Andrej


Am 07.08.2018 um 17:00 schrieb Stefan Kania via samba:> When I start the replication from the other DC it works as you can see:
> -------
> root at addc-01:~# samba-tool drs replicate rodc-01 addc-01
dc=example,dc=net
> Replicate from addc-01 to rodc-01 was successful.
> -------
>
> Am 07.08.2018 um 15:26 schrieb Stefan Kania via samba:
>> Hello,
>>
>> I just start testing the setup of an RODC with 4.8.3 (I use the
packages
>> from Louis). The join works fine. After a reboot of the rodc I can see
>> all Objcts with:
>> ldbsearch --url=/var/lib/samba/private/sam.ldb
>>
>> and all users and groups with:
>> wbinfo -u
>> wbinfo -g
>>
>> But as soon as I try to test the replication I got this message:
>> -----------
>> root at rodc-01:/var/lib/samba/private# samba-tool drs showrepl
>> offsite\RODC-01
>> DSA Options: 0x00000025
>> DSA object GUID: ab4da5a2-2755-45b4-9d83-1dec1f869477
>> DSA invocationId: 92ae0aeb-beea-4944-b65b-61ad4564a87b
>>
>> ==== INBOUND NEIGHBORS ===>>
>> ERROR(runtime): DsReplicaGetInfo of type 0 failed - (8453,
>> 'WERR_DS_DRA_ACCESS_DENIED')
>> -----------
>>
>> If I try to do a replication I see the following messages:
>> -----------
>> root at rodc-01:/var/lib/samba/private# samba-tool drs replicate
rodc-01
>> addc-01 dc=example,dc=net
>> ERROR(<class 'samba.drs_utils.drsException'>):
DsReplicaSync failed -
>> drsException: DsReplicaSync failed (8453,
'WERR_DS_DRA_ACCESS_DENIED')
>>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 389,
>> in run
>>      drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
>> source_dsa_guid, NC, req_options)
>>    File
"/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 87,
>> in sendDsReplicaSync
>>      raise drsException("DsReplicaSync failed %s" % estr)
>>
>> -----------
>>
>> With "journalctl -f" open I see:
>> -----------
>> Aug 07 15:16:34 rodc-01 samba[518]: task[dcesrv][518]: [2018/08/07
>> 15:16:34.805062,  0]
>> ../source4/rpc_server/drsuapi/drsutil.c:109(drs_security_level_check)
>> Aug 07 15:16:34 rodc-01 samba[518]: task[dcesrv][518]:   DsReplicaSync
>> refused for security token (level=10)
>> -----------
>>
>> I use Samba together with bind9 everything is running on Debian9
Systems.
>> Here is the smb.conf from the RODC
>> -----------
>> # Global parameters
>> [global]
>>          netbios name = RODC-01
>>          realm = EXAMPLE.NET
>>          server role = active directory domain controller
>>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>>          workgroup = EXAMPLE
>>
>> [netlogon]
>>          path = /var/lib/samba/sysvol/example.net/scripts
>>          read only = No
>>
>> [sysvol]
>>          path = /var/lib/samba/sysvol
>>          read only = No
>> -----------
>> I checked all the permissions for the bind9. The Bind is running and
can
>> access the DNS-DBs
>> Did I miss someting? The section inside Samba-wiki is not very good at
>> the moment and I could not find any other how to :-(
>>
>> Any help is welcome :-)
>>
>> Stefan
>>
>>
>>
>>
>>
>>
>
>

Stefan Kania

2018-Aug-07 15:44 UTC

head link

[Samba] setting up a RODC

Hi Andrej,

then it works, but on a "normal" addc it works without "-U
".

One more Question:
When I do a "host -t srv _ldap._tcp.example.net" I only see my
writeable
DCs but not my RODC. So I tested with:
------
ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationid=*)'
--cross-ncs objectguid
------
Found a objectguid for my RODC

-------
host -t CNAME ab4da5a2-2755-45b4-9d83-1dec1f869477._msdcs.example.net
-------
The CNAME is there
Then I did a:
--------
samba_dnsupdate --verbose --all-names
--------
Still no entry for any of the srv-records on my rodc.


Adding Users for password-caching works.
Next Question :-)
Is there any way to see which users loaded with "samba-tool rodc preload
<user> --server=addc01"

I think, thats all (for the moment)

Stefan

Am 07.08.2018 um 17:13 schrieb Andrej Gessel via samba:> Hello Stefan,
> 
> you need to use "-U" with user from Domain Admin group(maybe it
works
> with other users too, but I didn't test it).
> 
> 
> Andrej
> 
> 
> Am 07.08.2018 um 17:00 schrieb Stefan Kania via samba:
>> When I start the replication from the other DC it works as you can see:
>> -------
>> root at addc-01:~# samba-tool drs replicate rodc-01 addc-01
>> dc=example,dc=net
>> Replicate from addc-01 to rodc-01 was successful.
>> -------
>>
>> Am 07.08.2018 um 15:26 schrieb Stefan Kania via samba:
>>> Hello,
>>>
>>> I just start testing the setup of an RODC with 4.8.3 (I use the
packages
>>> from Louis). The join works fine. After a reboot of the rodc I can
see
>>> all Objcts with:
>>> ldbsearch --url=/var/lib/samba/private/sam.ldb
>>>
>>> and all users and groups with:
>>> wbinfo -u
>>> wbinfo -g
>>>
>>> But as soon as I try to test the replication I got this message:
>>> -----------
>>> root at rodc-01:/var/lib/samba/private# samba-tool drs showrepl
>>> offsite\RODC-01
>>> DSA Options: 0x00000025
>>> DSA object GUID: ab4da5a2-2755-45b4-9d83-1dec1f869477
>>> DSA invocationId: 92ae0aeb-beea-4944-b65b-61ad4564a87b
>>>
>>> ==== INBOUND NEIGHBORS ===>>>
>>> ERROR(runtime): DsReplicaGetInfo of type 0 failed - (8453,
>>> 'WERR_DS_DRA_ACCESS_DENIED')
>>> -----------
>>>
>>> If I try to do a replication I see the following messages:
>>> -----------
>>> root at rodc-01:/var/lib/samba/private# samba-tool drs replicate
rodc-01
>>> addc-01 dc=example,dc=net
>>> ERROR(<class 'samba.drs_utils.drsException'>):
DsReplicaSync failed -
>>> drsException: DsReplicaSync failed (8453,
'WERR_DS_DRA_ACCESS_DENIED')
>>>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line
>>> 389,
>>> in run
>>>      drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
>>> source_dsa_guid, NC, req_options)
>>>    File
"/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 87,
>>> in sendDsReplicaSync
>>>      raise drsException("DsReplicaSync failed %s" % estr)
>>>
>>> -----------
>>>
>>> With "journalctl -f" open I see:
>>> -----------
>>> Aug 07 15:16:34 rodc-01 samba[518]: task[dcesrv][518]: [2018/08/07
>>> 15:16:34.805062,  0]
>>>
../source4/rpc_server/drsuapi/drsutil.c:109(drs_security_level_check)
>>> Aug 07 15:16:34 rodc-01 samba[518]: task[dcesrv][518]:  
DsReplicaSync
>>> refused for security token (level=10)
>>> -----------
>>>
>>> I use Samba together with bind9 everything is running on Debian9
>>> Systems.
>>> Here is the smb.conf from the RODC
>>> -----------
>>> # Global parameters
>>> [global]
>>>          netbios name = RODC-01
>>>          realm = EXAMPLE.NET
>>>          server role = active directory domain controller
>>>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>>>          workgroup = EXAMPLE
>>>
>>> [netlogon]
>>>          path = /var/lib/samba/sysvol/example.net/scripts
>>>          read only = No
>>>
>>> [sysvol]
>>>          path = /var/lib/samba/sysvol
>>>          read only = No
>>> -----------
>>> I checked all the permissions for the bind9. The Bind is running
and can
>>> access the DNS-DBs
>>> Did I miss someting? The section inside Samba-wiki is not very good
at
>>> the moment and I could not find any other how to :-(
>>>
>>> Any help is welcome :-)
>>>
>>> Stefan
>>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20180807/3997a130/signature.sig>

Rowland Penny

2018-Aug-07 16:19 UTC

head link

[Samba] setting up a RODC

On Tue, 7 Aug 2018 17:44:37 +0200
Stefan Kania via samba <samba at lists.samba.org> wrote:
> Hi Andrej,
> 
> then it works, but on a "normal" addc it works without "-U
".
This is  probably because you will be running the command from the RODC
on the RWDC.
> 
> One more Question:
> When I do a "host -t srv _ldap._tcp.example.net" I only see my
> writeable DCs but not my RODC. 
There is a good reason for that, RODC's do not get that address.
>So I tested with:
> ------
> ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationid=*)'
> --cross-ncs objectguid
> ------
> Found a objectguid for my RODC
> 
> -------
> host -t CNAME ab4da5a2-2755-45b4-9d83-1dec1f869477._msdcs.example.net
> -------
> The CNAME is there
> Then I did a:
> --------
> samba_dnsupdate --verbose --all-names
> --------
> Still no entry for any of the srv-records on my rodc.
As I said above, only RWDC's get that srv-record.
> 
> 
> Adding Users for password-caching works.
> Next Question :-)
> Is there any way to see which users loaded with "samba-tool rodc
> preload <user> --server=addc01"
Not sure, but, from reading the code, it will print an error message
for every user that fails.

Rowland

Maybe Matching Threads

Search for more maybe matching threads

samba - Aug 2018 - setting up a RODC

[Samba] setting up a RODC

[Samba] setting up a RODC

[Samba] setting up a RODC

Maybe Matching Threads