On Tue, 7 Aug 2018 17:44:37 +0200 Stefan Kania via samba <samba at lists.samba.org> wrote:> Hi Andrej, > > then it works, but on a "normal" addc it works without "-U ".This is probably because you will be running the command from the RODC on the RWDC.> > One more Question: > When I do a "host -t srv _ldap._tcp.example.net" I only see my > writeable DCs but not my RODC.There is a good reason for that, RODC's do not get that address.>So I tested with: > ------ > ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationid=*)' > --cross-ncs objectguid > ------ > Found a objectguid for my RODC > > ------- > host -t CNAME ab4da5a2-2755-45b4-9d83-1dec1f869477._msdcs.example.net > ------- > The CNAME is there > Then I did a: > -------- > samba_dnsupdate --verbose --all-names > -------- > Still no entry for any of the srv-records on my rodc.As I said above, only RWDC's get that srv-record.> > > Adding Users for password-caching works. > Next Question :-) > Is there any way to see which users loaded with "samba-tool rodc > preload <user> --server=addc01"Not sure, but, from reading the code, it will print an error message for every user that fails. Rowland
Mhhhh, but as far as I know the Client searches via DNS for the services "kerberos", "ldap", "gc" to connect and authenticate. How will find a client the RODC if not via DNS? *Headscratching* Am 07.08.2018 um 18:19 schrieb Rowland Penny via samba:>> One more Question: >> When I do a "host -t srv _ldap._tcp.example.net" I only see my >> writeable DCs but not my RODC. > There is a good reason for that, RODC's do not get that address. >-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20180807/ccb16712/signature.sig>
On Tue, 7 Aug 2018 18:58:26 +0200 Stefan Kania via samba <samba at lists.samba.org> wrote:> Mhhhh, > but as far as I know the Client searches via DNS for the services > "kerberos", "ldap", "gc" to connect and authenticate. How will find a > client the RODC if not via DNS? *Headscratching* > > >I know very little about RODC's but if you find the file 'dns_update_list' on your DC, it contains the DNS records that samba_dnsupdate creates if they do not exist. In that file there is this: # RW domain controller ${IF_RWDC}A ${DNSDOMAIN} $IP ${IF_RWDC}AAAA ${DNSDOMAIN} $IP ${IF_RWDC}SRV _ldap._tcp.${DNSDOMAIN} ${HOSTNAME} 389 ${IF_RWDC}SRV _ldap._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389 ${IF_RWDC}SRV _ldap._tcp.${DOMAINGUID}.domains._msdcs.${DNSFOREST} ${HOSTNAME} 389 ${IF_RWDC}SRV _kerberos._tcp.${DNSDOMAIN} ${HOSTNAME} 88 ${IF_RWDC}SRV _kerberos._udp.${DNSDOMAIN} ${HOSTNAME} 88 ${IF_RWDC}SRV _kerberos._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88 ${IF_RWDC}SRV _kpasswd._tcp.${DNSDOMAIN} ${HOSTNAME} 464 ${IF_RWDC}SRV _kpasswd._udp.${DNSDOMAIN} ${HOSTNAME} 464 # RW and RO domain controller ${IF_DC}CNAME ${NTDSGUID}._msdcs.${DNSFOREST} ${HOSTNAME} ${IF_DC}SRV _ldap._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 389 ${IF_DC}SRV _ldap._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389 ${IF_DC}SRV _kerberos._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 88 ${IF_DC}SRV _kerberos._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88 So, as I am sure you can see, your RODC gets 'SITE' ldap records, but it doesn't get standard ldap records. Wiser heads than mine created that file ;-) Rowland