samba - Jan 2025 - R: R: R: samba remote site client authentication and network browsing problem

On Tue, 31 Dec 2024 09:42:05 +0000
Manzini Enrico via samba <samba at lists.samba.org> wrote:
> Ok, but why if i browse the network from the client with the remote
> rodc and the rwdc used as replication partner for rodc join online,
> everything work as expected, but if i shutdown the rwdc used for rodc
> join replication partner offline,  client no work anymore?
> 
Possibly because the RODC is hard wired to use its replication partner
for passwords ? 
Is dns setup correctly ?
> The join command for the remote rodc RODC-1 is:
> samba-tool domain join scratch.lan RODC  --server=dc-1.scratch.lan
> --realm=SCRATCH.LAN --site=REMOTE --option='idmap_ldb:use rfc2307 >
yes' -U administrator -W SCRATCH
> 
You shouldn't have to use '--server=' to join, Samba should find the
best DC to use. Once the RODC is joined, it should use itself as its
first nameserver.
> The situation is as follow (client rebooted):
> RODC-1 and DC-1 online:
> Client can browse network as expected, for example it can parse DC-2
> (the second dc in the central site) shares (netlogon and sysvol) in
> single sign on RODC-1 shell: 'samba-tool drs replicate rodc-1 dc-1
> dc=scratch,dc=lan -U administrator' works fine 'samba-tool drs
> replicate rodc-1 dc-2 dc=scratch,dc=lan -U administrator' works fine
> 
> RODC-1 online and DC-1 offline:
> Client no works anymore, and cannot parse DC-2 shares
Is the client using the RODC has its nameserver ?
> RODC-1 shell:
> 'samba-tool drs replicate rodc-1 dc-2 dc=scratch,dc=lan -U
> administrator' does not work anymore
> 
If the link is up and dns is correct, it should be able to replicate.
> ADDITIONAL INFORMATION
> We also make a specular test with a pure microsoft windows
> infrastructure (2 dc's in a central site, and a remote site's
rodc),
> and the problem did not arise
> 
If you are sure that your dns is correct and the only difference is
that Windows works and Samba doesn't, then I suggest you file a bug
report.

Rowland

Hi Rowland

I try some several test and: 
- tried fsmo transfer from the rwdc used as replication partner to the secondary
dc, no luck, problem persist
- tried join with no replication partner specification, no luck, problem persist
	Also during the join procedure the rodc anyway find a domain controller to use
as a replication partner (it say "find dc dc_name", and after the join
procedure, we could find it as ntds rodc connection object in active directory
sites and services)

Also:
- servers dns correctly configured
- client dns correctly configured
- client logon server correctly connected
	The nltest command report the correct rodc server

But the problem explained above persist

Enrico Manzini




-----Messaggio originale-----
Da: samba <samba-bounces at lists.samba.org> Per conto di Rowland Penny
via samba
Inviato: marted? 31 dicembre 2024 11:37
A: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
Oggetto: Re: [Samba] R: R: samba remote site client authentication and network
browsing problem

On Tue, 31 Dec 2024 09:42:05 +0000
Manzini Enrico via samba <samba at lists.samba.org> wrote:
> Ok, but why if i browse the network from the client with the remote 
> rodc and the rwdc used as replication partner for rodc join online, 
> everything work as expected, but if i shutdown the rwdc used for rodc 
> join replication partner offline,  client no work anymore?
> 
Possibly because the RODC is hard wired to use its replication partner for
passwords ?
Is dns setup correctly ?
> The join command for the remote rodc RODC-1 is:
> samba-tool domain join scratch.lan RODC  --server=dc-1.scratch.lan 
> --realm=SCRATCH.LAN --site=REMOTE --option='idmap_ldb:use rfc2307 = 
> yes' -U administrator -W SCRATCH
> 
You shouldn't have to use '--server=' to join, Samba should find the
best DC to use. Once the RODC is joined, it should use itself as its first
nameserver.
> The situation is as follow (client rebooted):
> RODC-1 and DC-1 online:
> Client can browse network as expected, for example it can parse DC-2 
> (the second dc in the central site) shares (netlogon and sysvol) in 
> single sign on RODC-1 shell: 'samba-tool drs replicate rodc-1 dc-1 
> dc=scratch,dc=lan -U administrator' works fine 'samba-tool drs 
> replicate rodc-1 dc-2 dc=scratch,dc=lan -U administrator' works fine
> 
> RODC-1 online and DC-1 offline:
> Client no works anymore, and cannot parse DC-2 shares
Is the client using the RODC has its nameserver ?
> RODC-1 shell:
> 'samba-tool drs replicate rodc-1 dc-2 dc=scratch,dc=lan -U 
> administrator' does not work anymore
> 
If the link is up and dns is correct, it should be able to replicate.
> ADDITIONAL INFORMATION
> We also make a specular test with a pure microsoft windows 
> infrastructure (2 dc's in a central site, and a remote site's
rodc),
> and the problem did not arise
> 
If you are sure that your dns is correct and the only difference is that Windows
works and Samba doesn't, then I suggest you file a bug report.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba