samba - Dec 2024 - R: samba remote site client authentication and network browsing problem

Hi Rowland
We actually use RODC's because we have a customer with hub and spoke
configuration with 4 RWDC's in the central site, and about 80 remote sites
with RODC's deployed, all of these with low hardware security, sites where
the machine can physically can be stolen, so we opted to use RODC's machines
at the remote sites
The connectivity and dns resolution works both fine, with or without the dc used
as rodc replication partner is online or offline
We reproduce the customer configuration in a internal lab and:
 - linux based deployment works only if the server used as replication partner
during the rodc domain join  is online, afterthat if it is offline, the problem
we explained before arise

We also test a remote RWDC environment, and:
 - with the remote server configured as RWDC and nota s RODC, the problem did
not arise

We also test a pure windows environment from scratch and:
 - windows based deployment works fine in both cases

Regards
Enrico Manzini




-----Messaggio originale-----
Da: samba <samba-bounces at lists.samba.org> Per conto di Rowland Penny
via samba
Inviato: marted? 24 dicembre 2024 15:12
A: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
Oggetto: Re: [Samba] samba remote site client authentication and network
browsing problem

On Tue, 24 Dec 2024 11:38:17 +0000
Manzini Enrico via samba <samba at lists.samba.org> wrote:
> Hello,
> we are testing a dc/rodc configuration with Samba AD, but we are stuck 
> with a problem that occurs when one  of the writable DCs (the one that 
> was used as a partner during rodc join) is shutdown: Test
> configuration:
> -          writeable dc and read only dc Samba 4.21 installed on
> Debian 12, with two sites configured
> -          2 writetable dc named dc-1 and dc-2 on central site
> -          1 read only dc named rodc-1 on remote site
> -          Active directory sites and services configured as expected
> (one central site and one remote site with subnet association)
> -          1 remote client windows 10 named remote-1 (in same site as
> rodc-1) 
>  -          we joined the remote site rodc named rodc-1 using  as
> replication partner the writable dc named dc-1
> -          we joined the windows 10 client using the read only dc
> named rodc-1
> -          we verified that the remote client use the rodc server as
> logon server through nltest /dsgetdc:domain_name
> Problem:
> -          if we browse the network from the remote-1 client with the
> rodc and the writable dc used as the rodc replication partner for 
> domain join online, everything is ok and the network browsing in 
> single sign on works as expected
> -          if we browse the network from the remote-1 client with the
> rodc online but the writable dc used as the rodc replication partner 
> for domain join offline, network browsing does not work as espected, 
> and network browsing of servers in central site (for example dc-2) 
> does not work, with the Windows client requesting authentication 
> (single sign on still work if browsing using explorer on read only 
> domain controller, until it is restarted. After the restart the rodc 
> browsing also does not work anymore)
>  - ? -????If we put back online that writable DC, everything goes back 
> to normal: single sign on works correctly and the windows client can 
> browse every server Do you have any suggestions?
> Thank you for your help
> 
> Enrico Manzini
First, what is your reason to use an RODC instead of a RWDC ? If it isn't
'we are afraid the DC might be stolen', then I would give up on the RODC
and install a RWDC.

Your AD clients must be able to find their records, as do your users, this mean
that, if the network is flaky, machine, user & group records will have to be
replicated to the RODC, but the passwords, by default, are not. You can force
replication of the passwords, but if you do, you now have something very akin to
an RWDC.

So, to put it into a nutshell, I personally would only run an RODC if it was
likely to be stolen (in which case, you would have to ask, why do we have
anything valuable here ?) and if the dns is rock solid to allow uninterupted
communication between the RODC and the other site.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On Mon, 30 Dec 2024 16:07:31 +0000
Manzini Enrico via samba <samba at lists.samba.org> wrote:
> Hi Rowland
> We actually use RODC's because we have a customer with hub and spoke
> configuration with 4 RWDC's in the central site, and about 80 remote
> sites with RODC's deployed, all of these with low hardware security,
> sites where the machine can physically can be stolen, 
Well, as I said, from my point of view, that is the only valid reason
to deploy an RODC.
 
> so we opted to
> use RODC's machines at the remote sites The connectivity and dns
> resolution works both fine, with or without the dc used as rodc
> replication partner is online or offline We reproduce the customer
> configuration in a internal lab and:
>  - linux based deployment works only if the server used as
> replication partner during the rodc domain join  is online, afterthat
> if it is offline, the problem we explained before arise
That is something I think you need to explain a bit better, joining an
RODC is no different to joining an RWDC and you do not need to specify a
replication partner for either, Samba should find the 'best' DC to join
and replicate from.
> 
> We also test a remote RWDC environment, and:
>  - with the remote server configured as RWDC and nota s RODC, the
> problem did not arise
That is because an RWDC will have all the AD records and can supply
these without contacting another DC, an RODC needs to 'talk' to an RWDC
to get some, if not all the required AD records, which they then
'cache'.
> 
> We also test a pure windows environment from scratch and:
>  - windows based deployment works fine in both cases
>
If that is the case, then I suggest you get level 10 logs and wire
traces and open a Samba bug report, a Samba AD computer should do what
a Windows one can (but be aware, Samba not doing something can be down
to lack of code to do it and you may have to wait until that code
does get created)

Rowland