samba - Dec 2024 - R: R: samba remote site client authentication and network browsing problem

Ok, but why if i browse the network from the client with the remote rodc and the
rwdc used as replication partner for rodc join online, everything work as
expected, but if i shutdown the rwdc used for rodc join replication partner
offline,  client no work anymore?

The join command for the remote rodc RODC-1 is:
samba-tool domain join scratch.lan RODC  --server=dc-1.scratch.lan
--realm=SCRATCH.LAN --site=REMOTE --option='idmap_ldb:use rfc2307 = yes'
-U administrator -W SCRATCH

The situation is as follow (client rebooted):
RODC-1 and DC-1 online:
Client can browse network as expected, for example it can parse DC-2 (the second
dc in the central site) shares (netlogon and sysvol) in single sign on
RODC-1 shell:
'samba-tool drs replicate rodc-1 dc-1 dc=scratch,dc=lan -U
administrator' works fine
'samba-tool drs replicate rodc-1 dc-2 dc=scratch,dc=lan -U
administrator' works fine

RODC-1 online and DC-1 offline:
Client no works anymore, and cannot parse DC-2 shares
RODC-1 shell:
'samba-tool drs replicate rodc-1 dc-2 dc=scratch,dc=lan -U
administrator' does not work anymore

ADDITIONAL INFORMATION
We also make a specular test with a pure microsoft windows infrastructure (2
dc's in a central site, and a remote site's rodc), and the problem did
not arise

Enrico Manzini




-----Messaggio originale-----
Da: samba <samba-bounces at lists.samba.org> Per conto di Rowland Penny
via samba
Inviato: luned? 30 dicembre 2024 18:03
A: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
Oggetto: Re: [Samba] R: samba remote site client authentication and network
browsing problem

On Mon, 30 Dec 2024 16:07:31 +0000
Manzini Enrico via samba <samba at lists.samba.org> wrote:
> Hi Rowland
> We actually use RODC's because we have a customer with hub and spoke 
> configuration with 4 RWDC's in the central site, and about 80 remote 
> sites with RODC's deployed, all of these with low hardware security, 
> sites where the machine can physically can be stolen,
Well, as I said, from my point of view, that is the only valid reason to deploy
an RODC.
 
> so we opted to
> use RODC's machines at the remote sites The connectivity and dns 
> resolution works both fine, with or without the dc used as rodc 
> replication partner is online or offline We reproduce the customer 
> configuration in a internal lab and:
>  - linux based deployment works only if the server used as replication 
> partner during the rodc domain join  is online, afterthat if it is 
> offline, the problem we explained before arise
That is something I think you need to explain a bit better, joining an RODC is
no different to joining an RWDC and you do not need to specify a replication
partner for either, Samba should find the 'best' DC to join and
replicate from.
> 
> We also test a remote RWDC environment, and:
>  - with the remote server configured as RWDC and nota s RODC, the 
> problem did not arise
That is because an RWDC will have all the AD records and can supply these
without contacting another DC, an RODC needs to 'talk' to an RWDC to get
some, if not all the required AD records, which they then 'cache'.
> 
> We also test a pure windows environment from scratch and:
>  - windows based deployment works fine in both cases
>
If that is the case, then I suggest you get level 10 logs and wire traces and
open a Samba bug report, a Samba AD computer should do what a Windows one can
(but be aware, Samba not doing something can be down to lack of code to do it
and you may have to wait until that code does get created)

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

It seems that the rodc, if the domain controller used as replication partner
during domain join is offline, do not routes the authentication requests to the
others present domain controllers

Enrico Manzini




-----Messaggio originale-----
Da: samba <samba-bounces at lists.samba.org> Per conto di Manzini Enrico
via samba
Inviato: marted? 31 dicembre 2024 10:42
A: samba at lists.samba.org
Oggetto: [Samba] R: R: samba remote site client authentication and network
browsing problem

Ok, but why if i browse the network from the client with the remote rodc and the
rwdc used as replication partner for rodc join online, everything work as
expected, but if i shutdown the rwdc used for rodc join replication partner
offline,  client no work anymore?

The join command for the remote rodc RODC-1 is:
samba-tool domain join scratch.lan RODC  --server=dc-1.scratch.lan
--realm=SCRATCH.LAN --site=REMOTE --option='idmap_ldb:use rfc2307 = yes'
-U administrator -W SCRATCH

The situation is as follow (client rebooted):
RODC-1 and DC-1 online:
Client can browse network as expected, for example it can parse DC-2 (the second
dc in the central site) shares (netlogon and sysvol) in single sign on
RODC-1 shell:
'samba-tool drs replicate rodc-1 dc-1 dc=scratch,dc=lan -U
administrator' works fine 'samba-tool drs replicate rodc-1 dc-2
dc=scratch,dc=lan -U administrator' works fine

RODC-1 online and DC-1 offline:
Client no works anymore, and cannot parse DC-2 shares
RODC-1 shell:
'samba-tool drs replicate rodc-1 dc-2 dc=scratch,dc=lan -U
administrator' does not work anymore

ADDITIONAL INFORMATION
We also make a specular test with a pure microsoft windows infrastructure (2
dc's in a central site, and a remote site's rodc), and the problem did
not arise

Enrico Manzini




-----Messaggio originale-----
Da: samba <samba-bounces at lists.samba.org> Per conto di Rowland Penny
via samba
Inviato: luned? 30 dicembre 2024 18:03
A: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
Oggetto: Re: [Samba] R: samba remote site client authentication and network
browsing problem

On Mon, 30 Dec 2024 16:07:31 +0000
Manzini Enrico via samba <samba at lists.samba.org> wrote:
> Hi Rowland
> We actually use RODC's because we have a customer with hub and spoke 
> configuration with 4 RWDC's in the central site, and about 80 remote 
> sites with RODC's deployed, all of these with low hardware security, 
> sites where the machine can physically can be stolen,
Well, as I said, from my point of view, that is the only valid reason to deploy
an RODC.
 
> so we opted to
> use RODC's machines at the remote sites The connectivity and dns 
> resolution works both fine, with or without the dc used as rodc 
> replication partner is online or offline We reproduce the customer 
> configuration in a internal lab and:
>  - linux based deployment works only if the server used as replication 
> partner during the rodc domain join  is online, afterthat if it is 
> offline, the problem we explained before arise
That is something I think you need to explain a bit better, joining an RODC is
no different to joining an RWDC and you do not need to specify a replication
partner for either, Samba should find the 'best' DC to join and
replicate from.
> 
> We also test a remote RWDC environment, and:
>  - with the remote server configured as RWDC and nota s RODC, the 
> problem did not arise
That is because an RWDC will have all the AD records and can supply these
without contacting another DC, an RODC needs to 'talk' to an RWDC to get
some, if not all the required AD records, which they then 'cache'.
> 
> We also test a pure windows environment from scratch and:
>  - windows based deployment works fine in both cases
>
If that is the case, then I suggest you get level 10 logs and wire traces and
open a Samba bug report, a Samba AD computer should do what a Windows one can
(but be aware, Samba not doing something can be down to lack of code to do it
and you may have to wait until that code does get created)

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On Tue, 31 Dec 2024 09:42:05 +0000
Manzini Enrico via samba <samba at lists.samba.org> wrote:
> Ok, but why if i browse the network from the client with the remote
> rodc and the rwdc used as replication partner for rodc join online,
> everything work as expected, but if i shutdown the rwdc used for rodc
> join replication partner offline,  client no work anymore?
> 
Possibly because the RODC is hard wired to use its replication partner
for passwords ? 
Is dns setup correctly ?
> The join command for the remote rodc RODC-1 is:
> samba-tool domain join scratch.lan RODC  --server=dc-1.scratch.lan
> --realm=SCRATCH.LAN --site=REMOTE --option='idmap_ldb:use rfc2307 >
yes' -U administrator -W SCRATCH
> 
You shouldn't have to use '--server=' to join, Samba should find the
best DC to use. Once the RODC is joined, it should use itself as its
first nameserver.
> The situation is as follow (client rebooted):
> RODC-1 and DC-1 online:
> Client can browse network as expected, for example it can parse DC-2
> (the second dc in the central site) shares (netlogon and sysvol) in
> single sign on RODC-1 shell: 'samba-tool drs replicate rodc-1 dc-1
> dc=scratch,dc=lan -U administrator' works fine 'samba-tool drs
> replicate rodc-1 dc-2 dc=scratch,dc=lan -U administrator' works fine
> 
> RODC-1 online and DC-1 offline:
> Client no works anymore, and cannot parse DC-2 shares
Is the client using the RODC has its nameserver ?
> RODC-1 shell:
> 'samba-tool drs replicate rodc-1 dc-2 dc=scratch,dc=lan -U
> administrator' does not work anymore
> 
If the link is up and dns is correct, it should be able to replicate.
> ADDITIONAL INFORMATION
> We also make a specular test with a pure microsoft windows
> infrastructure (2 dc's in a central site, and a remote site's
rodc),
> and the problem did not arise
> 
If you are sure that your dns is correct and the only difference is
that Windows works and Samba doesn't, then I suggest you file a bug
report.

Rowland