On Sun, May 5, 2019 at 9:52 AM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Sun, 5 May 2019 09:20:37 -0300 > Emerson Kfuri via samba <samba at lists.samba.org> wrote: > > > Hello, > > > > Recently I started using RODC servers on my environment and noticed a > > few issues with it: > > - lack of LDAP SPNs > > - "samba_dnsupdate" not working with "insufficient access rights" (it > > works from RWDCs) > > Probably because you cannot write to an RODC >Yes! That's the idea! But if these records are not automatically registered, means admin always have to add them manually. This should be documented so...> > > - "samba-tool dbcheck" changes instancetype of basically all objects > > from 4 to 0. > > '4' means 'The object is writeable on this directory.', well it isn't on > an RODC, so '0' is probably correct. > > > New replicated objects continues being created with instancetype 4 > > and dbcheck continues to change them > > See above. >So why not create these objects already with instancetype 0?> > > - "samba-tool drs showrepl" exiting with WERR_DS_DRA_ACCESS_DENIED > > Replication is one way into the RODC > > > - "samba-tool domain tombstones expunge" is unable to expunge expired > > deleted objects > > This may be a problem, but then again it might not be, to 'delete' you > have to have 'write', but you cannot write to an RODC. >And how to prevent the database from accumulating garbage?> > Are you using the RODC's in the same site as your RWDC's ? > If so, why ? > RODC's are meant to be used where there are security and/or other > concerns, so if you have RWDC's at the same place, why use RODC's ? > >I have 3 sites and all of them has an RWDC and at least one RODC. I use multiple RWDCs to balance write load and multiples RODCs to reduce replication flow. Because of my database size and number of simultaneous clients, I needed to grow the number of controllers to balance LDAP queries since servers became unresponsive due to LDAP memory leaks.> Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On Sun, 5 May 2019 10:13:07 -0300 Emerson Kfuri <emersonkfuri at gmail.com> wrote:> On Sun, May 5, 2019 at 9:52 AM Rowland Penny via samba < > samba at lists.samba.org> wrote: > > > On Sun, 5 May 2019 09:20:37 -0300 > > Emerson Kfuri via samba <samba at lists.samba.org> wrote: > > > > > Hello, > > > > > > Recently I started using RODC servers on my environment and > > > noticed a few issues with it: > > > - lack of LDAP SPNs > > > - "samba_dnsupdate" not working with "insufficient access > > > rights" (it works from RWDCs) > > > > Probably because you cannot write to an RODC > > > > Yes! That's the idea! But if these records are not automatically > registered, means admin always have to add them manually. This should > be documented so...In the Samba world, working RODC's are relatively new, so things like this are still being found.> > > > > > - "samba-tool dbcheck" changes instancetype of basically all > > > objects from 4 to 0. > > > > '4' means 'The object is writeable on this directory.', well it > > isn't on an RODC, so '0' is probably correct. > > > > > New replicated objects continues being created with instancetype 4 > > > and dbcheck continues to change them > > > > See above. > > > > So why not create these objects already with instancetype 0?Because they are being replicated in from an RWDC where '4' is correct, I would think that that Windows RODC will probably have code to do this during replication and, obviously, Samba hasn't yet.> > > > > > - "samba-tool drs showrepl" exiting with > > > WERR_DS_DRA_ACCESS_DENIED > > > > Replication is one way into the RODC > > > > > - "samba-tool domain tombstones expunge" is unable to expunge > > > expired deleted objects > > > > This may be a problem, but then again it might not be, to 'delete' > > you have to have 'write', but you cannot write to an RODC. > > > > And how to prevent the database from accumulating garbage?Again, this is probably something that will get fixed down the line, but it seems this isn't just a Samba problem, a quick internet search turned up the Windows fix for this, demote and rejoin the RODC ;-)> > > > Are you using the RODC's in the same site as your RWDC's ? > > If so, why ? > > RODC's are meant to be used where there are security and/or other > > concerns, so if you have RWDC's at the same place, why use RODC's ? > > > > > I have 3 sites and all of them has an RWDC and at least one RODC. I > use multiple RWDCs to balance write load and multiples RODCs to reduce > replication flow. Because of my database size and number of > simultaneous clients, I needed to grow the number of controllers to > balance LDAP queries since servers became unresponsive due to LDAP > memory leaks.That isn't really how RODC's are meant to be used. If you have LDAP memory leaks, then you should create a bug report or, if there is one, add to an existing bug report, things like this will not get fixed unless Samba is told about it. Rowland
Hi Rowland, Thanks for you answer, specially on a sunday! :-) On Sun, May 5, 2019 at 11:31 AM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Sun, 5 May 2019 10:13:07 -0300 > Emerson Kfuri <emersonkfuri at gmail.com> wrote: > > > On Sun, May 5, 2019 at 9:52 AM Rowland Penny via samba < > > samba at lists.samba.org> wrote: > > > > > On Sun, 5 May 2019 09:20:37 -0300 > > > Emerson Kfuri via samba <samba at lists.samba.org> wrote: > > > > > > > Hello, > > > > > > > > Recently I started using RODC servers on my environment and > > > > noticed a few issues with it: > > > > - lack of LDAP SPNs > > > > - "samba_dnsupdate" not working with "insufficient access > > > > rights" (it works from RWDCs) > > > > > > Probably because you cannot write to an RODC > > > > > > > Yes! That's the idea! But if these records are not automatically > > registered, means admin always have to add them manually. This should > > be documented so... > > In the Samba world, working RODC's are relatively new, so things like > this are still being found.Yeah! My intuit is just to point out my experience with it. It is my first time with RODC too. :-) I don't know how it works on Windows. Do you know if, on a Window Server, DNS records of RODC are added automatically or manually? But at least for now, I think manually register should be documented so RODCs can function properly, right?> > > > > > > > > - "samba-tool dbcheck" changes instancetype of basically all > > > > objects from 4 to 0. > > > > > > '4' means 'The object is writeable on this directory.', well it > > > isn't on an RODC, so '0' is probably correct. > > > > > > > New replicated objects continues being created with instancetype 4 > > > > and dbcheck continues to change them > > > > > > See above. > > > > > > > So why not create these objects already with instancetype 0? > > Because they are being replicated in from an RWDC where '4' is correct, > I would think that that Windows RODC will probably have code to do this > during replication and, obviously, Samba hasn't yet. >I imagine it too. I thought about filling a bug report a for these issues but wanted to send here first to see it is really a bug or some kind of misconfiguration on my setup.> > > > > > > > > - "samba-tool drs showrepl" exiting with > > > > WERR_DS_DRA_ACCESS_DENIED > > > > > > Replication is one way into the RODC >Yes, but it would be really great if this tool work to show us if inbound replication is alright.> > > > > > > - "samba-tool domain tombstones expunge" is unable to expunge > > > > expired deleted objects > > > > > > This may be a problem, but then again it might not be, to 'delete' > > > you have to have 'write', but you cannot write to an RODC. > > > > > > > And how to prevent the database from accumulating garbage? > > Again, this is probably something that will get fixed down the line, > but it seems this isn't just a Samba problem, a quick internet search > turned up the Windows fix for this, demote and rejoin the RODC ;-)For now I've excluded directly from LDB partitions and then, run dbcheck to remove dangling links.> > > > > > Are you using the RODC's in the same site as your RWDC's ? > > > If so, why ? > > > RODC's are meant to be used where there are security and/or other > > > concerns, so if you have RWDC's at the same place, why use RODC's ? > > > > > > > > I have 3 sites and all of them has an RWDC and at least one RODC. I > > use multiple RWDCs to balance write load and multiples RODCs to reduce > > replication flow. Because of my database size and number of > > simultaneous clients, I needed to grow the number of controllers to > > balance LDAP queries since servers became unresponsive due to LDAP > > memory leaks. > > That isn't really how RODC's are meant to be used. > > If you have LDAP memory leaks, then you should create a bug report > or, if there is one, add to an existing bug report, things like this > will not get fixed unless Samba is told about it. > >I know but I have to keep my setup running, and so I did this. There is already a bug reported #11232 since version 4.1, but as it is hard to detect the source of the leak, is still open.> Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaEmerson