samba - Jan 2025 - R: R: R: samba remote site client authentication and network browsing problem

Hi Rowland

I try some several test and: 
- tried fsmo transfer from the rwdc used as replication partner to the secondary
dc, no luck, problem persist
- tried join with no replication partner specification, no luck, problem persist
	Also during the join procedure the rodc anyway find a domain controller to use
as a replication partner (it say "find dc dc_name", and after the join
procedure, we could find it as ntds rodc connection object in active directory
sites and services)

Also:
- servers dns correctly configured
- client dns correctly configured
- client logon server correctly connected
	The nltest command report the correct rodc server

But the problem explained above persist

Enrico Manzini




-----Messaggio originale-----
Da: samba <samba-bounces at lists.samba.org> Per conto di Rowland Penny
via samba
Inviato: marted? 31 dicembre 2024 11:37
A: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
Oggetto: Re: [Samba] R: R: samba remote site client authentication and network
browsing problem

On Tue, 31 Dec 2024 09:42:05 +0000
Manzini Enrico via samba <samba at lists.samba.org> wrote:
> Ok, but why if i browse the network from the client with the remote 
> rodc and the rwdc used as replication partner for rodc join online, 
> everything work as expected, but if i shutdown the rwdc used for rodc 
> join replication partner offline,  client no work anymore?
> 
Possibly because the RODC is hard wired to use its replication partner for
passwords ?
Is dns setup correctly ?
> The join command for the remote rodc RODC-1 is:
> samba-tool domain join scratch.lan RODC  --server=dc-1.scratch.lan 
> --realm=SCRATCH.LAN --site=REMOTE --option='idmap_ldb:use rfc2307 = 
> yes' -U administrator -W SCRATCH
> 
You shouldn't have to use '--server=' to join, Samba should find the
best DC to use. Once the RODC is joined, it should use itself as its first
nameserver.
> The situation is as follow (client rebooted):
> RODC-1 and DC-1 online:
> Client can browse network as expected, for example it can parse DC-2 
> (the second dc in the central site) shares (netlogon and sysvol) in 
> single sign on RODC-1 shell: 'samba-tool drs replicate rodc-1 dc-1 
> dc=scratch,dc=lan -U administrator' works fine 'samba-tool drs 
> replicate rodc-1 dc-2 dc=scratch,dc=lan -U administrator' works fine
> 
> RODC-1 online and DC-1 offline:
> Client no works anymore, and cannot parse DC-2 shares
Is the client using the RODC has its nameserver ?
> RODC-1 shell:
> 'samba-tool drs replicate rodc-1 dc-2 dc=scratch,dc=lan -U 
> administrator' does not work anymore
> 
If the link is up and dns is correct, it should be able to replicate.
> ADDITIONAL INFORMATION
> We also make a specular test with a pure microsoft windows 
> infrastructure (2 dc's in a central site, and a remote site's
rodc),
> and the problem did not arise
> 
If you are sure that your dns is correct and the only difference is that Windows
works and Samba doesn't, then I suggest you file a bug report.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On Thu, 2 Jan 2025 08:25:56 +0000
Manzini Enrico <emanzini at zensistemi.com> wrote:
> Hi Rowland
> 
> I try some several test and: 
> - tried fsmo transfer from the rwdc used as replication partner to
> the secondary dc, no luck, problem persist
> - tried join with no replication partner specification, no luck,
> problem persist Also during the join procedure the rodc anyway find a
> domain controller to use as a replication partner (it say "find dc
> dc_name", and after the join procedure, we could find it as ntds rodc
> connection object in active directory sites and services)
> 
> Also:
> - servers dns correctly configured
Are the Dcs (this includes the RODC) using themselves as their
nameserver ?
> - client dns correctly configured
Are the clients (at the RODC site) using the RODC as their nameserver ?
> - client logon server correctly connected
> 	The nltest command report the correct rodc server
> 
> But the problem explained above persist
> 
If everything is correct and Windows works as expected, but Samba
doesn't, then it sounds like you have found a bug, so please file a bug
report, but get as much info as possible (level 10 logs, network traces
etc.).

One last thing you could check, Samba uses the same 'priority' and
'weight' for all SRV records ('0' & '100'), what
does Windows use ?

Rowland