Il 03/12/24 12:24, Rowland Penny via samba ha scritto:> On Tue, 3 Dec 2024 11:25:35 +0100
> Mitja Tav?ar via samba <samba at lists.samba.org> wrote:
>
>> Il 03/12/24 10:13, Rowland Penny via samba ha scritto:
>>> On Tue, 3 Dec 2024 09:15:36 +0100
>>> Mitja Tav?ar via samba <samba at lists.samba.org> wrote:
>>>
>>>> Hi, i have some problems with a recently joined Read Only
Domain
>>>> controller.
>>>>
>>>> I had 2 Domain Controllers based on Windows Server 2019 (hosts
>>>> vmw2srvdc1 an vmw2srvdc2). I and i recently added a new site
(PSN)
>>>> and Read Only DC in this second site based on samba (host
lvsrvdc).
>>>
>>> I know that RODCs sound like a good idea, except for two things,
>>> they were only really designed for a small site user base, but more
>>> importantly, what happens if the site link goes down for any
>>> considerable period ?
>>
>> This is the first time we have used a RODC; our choice was more of a
>> security-oriented one. The remote site should have about 30 servers,
>
> When you say '30 servers' is this 30 servers plus clients, or 30
> servers including clients ? if the former, then I suggest you upgrade
> to an RWDC.
Only the servers some of them are application servers therefore they
will become clients of the samba servers. But most of the clients will
remain in the main site.
> The problem with an RODC is that it cannot change anything, any changes
> have to be sent to another RWDC and then replicated back, any unknown
> users and groups etc. have to be checked with an RWDC and then cached.
> If the site link is broken, then only accounts that are cached are
> known to the RODC.
Ok, the connection is actually reliable and with latency under 20ms.
It should be good, otherwise we have far more other issues than this one.
I just cannot exclude that in the past few months the connection between
RODC and RWDC's dropped for some brief period due to our testing.
>> All samba servers are debian12 samba on domain members is
>> 4.17.12-Debian while on RODC is backports version
>> 4.21.1-Debian-4.21.1+dfsg-2~bpo12+1
>
> It might be worth considering upgrading the domain members.
Ok, i upgraded one of the 3 domain members to backports version
4.21.1-Debian-4.21.1+dfsg-2~bpo12+1
>>
>> The smb.conf of RODC was generate at join time:
>>
>> # Global parameters
>> [global]
>> dns forwarder = 8.8.8.8 8.8.4.4
>> netbios name = LVSRVDC
>> realm = INTRA.COMUNE.TRENTO.IT
>> server role = active directory domain controller
>> workgroup = INTRA
>>
>> [sysvol]
>> path = /var/lib/samba/sysvol
>> read only = No
>>
>> [netlogon]
>> path = /var/lib/samba/sysvol/intra.comune.trento.it/scripts
>> read only = No
>>
>> This is one of the fileservers smb.conf.
>>
>> [global]
>> realm = INTRA.COMUNE.TRENTO.IT
>> workgroup = INTRA
>> security = ADS
>> local master = no
>> domain master = no
>> preferred master = no
>> mangling method = hash2
>
> You do not really need the 4 parameters above.
Ok thanks, this i a bit old not reviewed config i have copied just as is
on the new machine.
>> winbind enum users = Yes
>> winbind enum groups = Yes
>
> You do not need the 'winbind enum' lines for winbind to work, in
fact,
> if your domain is large enough, they are an hindrance, when ever you
> ask for a user or group, ever user or group must be looked up.
Ok, i'v commented out. thanks!
>> winbind expand groups = 2
>>
>> server min protocol = NT1
>
> Is there a reason to use SMBv1, do you still have clients that require
> it ? these are usually a very large expensive piece of equipment with a
> builtin computer that cannot be updated.
Sadly, yes we have some very old clients that and we can not actually change
or update.
>
> You mentioned that the domain member looses its account after a few
> hours, is there a pattern to this ?
> Are you running anything else on the computer that may be relevant,
> sssd for instance ?
No, i just installed samba, winbind ntp and some related libraries.
But the machine accoounts are not completely lost, they seem lost if i query
the Read Only DC, when i query some of the other DC the machine accounts result
ok.
I'have found that restarting winbind seems to solve the problem but only for
some short time.
So i set up a testing script that checks join every 5 minutes and eventually
restarts winbind.
The output is this:
[Thu 05 Dec 2024 03:40:02 PM CET] - Join is OK
[Thu 05 Dec 2024 03:45:01 PM CET] - Join is OK
[Thu 05 Dec 2024 03:50:03 PM CET] - Join is OK
[Thu 05 Dec 2024 03:55:01 PM CET] - Not joined - restart winbind
[Thu 05 Dec 2024 04:00:02 PM CET] - Join is OK
[Thu 05 Dec 2024 04:05:03 PM CET] - Join is OK
[Thu 05 Dec 2024 04:10:01 PM CET] - Join is OK
[Thu 05 Dec 2024 04:15:02 PM CET] - Not joined - restart winbind
[Thu 05 Dec 2024 04:20:02 PM CET] - Join is OK
[Thu 05 Dec 2024 04:25:02 PM CET] - Join is OK
[Thu 05 Dec 2024 04:30:02 PM CET] - Join is OK
[Thu 05 Dec 2024 04:35:01 PM CET] - Not joined - restart winbind
[Thu 05 Dec 2024 04:40:01 PM CET] - Join is OK
[Thu 05 Dec 2024 04:45:05 PM CET] - Join is OK
[Thu 05 Dec 2024 04:50:02 PM CET] - Join is OK
[Thu 05 Dec 2024 04:55:01 PM CET] - Not joined - restart winbind
[Thu 05 Dec 2024 05:00:02 PM CET] - Join is OK
[Thu 05 Dec 2024 05:05:02 PM CET] - Join is OK
[Thu 05 Dec 2024 05:10:02 PM CET] - Not joined - restart winbind
[Thu 05 Dec 2024 05:15:02 PM CET] - Join is OK
[Thu 05 Dec 2024 05:20:02 PM CET] - Join is OK
[Thu 05 Dec 2024 05:25:02 PM CET] - Join is OK
[Thu 05 Dec 2024 05:30:02 PM CET] - Join is OK
[Thu 05 Dec 2024 05:35:02 PM CET] - Join is OK
[Thu 05 Dec 2024 05:40:02 PM CET] - Join is OK
[Thu 05 Dec 2024 05:45:01 PM CET] - Not joined - restart winbind
[Thu 05 Dec 2024 05:50:02 PM CET] - Join is OK
[Thu 05 Dec 2024 05:55:02 PM CET] - Join is OK
[Thu 05 Dec 2024 06:00:02 PM CET] - Not joined - restart winbind
--
Mitja Tav?ar