search for: rodc

 Hi,  I am working on a deployment of Samba as a domain controller, with one central domain controller and several read-only DC.  The deployment works, and computers seems to interact with the RODCs as they should, but sometimes computers leave the domain after a password change.  This seems to happen only on RODC where the passwords have been replicated - on one occasion the RODC was not set to store password hashes, and computers connected to this RODC don't seem to have issues....

On Sun, May 5, 2019 at 9:52 AM Rowland Penny via samba < samba at lists.samba.org> wrote: > On Sun, 5 May 2019 09:20:37 -0300 > Emerson Kfuri via samba <samba at lists.samba.org> wrote: > > > Hello, > > > > Recently I started using RODC servers on my environment and noticed a > > few issues with it: > > - lack of LDAP SPNs > > - "samba_dnsupdate" not working with "insufficient access rights" (it > > works from RWDCs) > > Probably because you cannot write to an RODC > Yes! That&...

On Tue, 23 Oct 2018 10:07:29 +1300 Garming Sam via samba <samba at lists.samba.org> wrote: > Hi, > > On 20/10/18 1:26 AM, Julien Ropé via samba wrote: > > > >  The deployment works, and computers seems to interact with the > > RODCs as they should, but sometimes computers leave the domain > > after a password change. > > > >  This seems to happen only on RODC where the passwords have been > > replicated - on one occasion the RODC was not set to store password > > hashes, and computers connected t...

> Jakob Curdes via samba<samba at lists.samba.org> wrote: > >> Hello, we have setup a SAMBA4 RODC in our setup where we have two >> exisitng RW Samba4 DC's. >> >> The RODC is joined correctly and can preload user accounts etc. It >> also can resolve its own name and the name of other DC's, also the >> SRV records needed. >> We created an own site with...

Hello everybody, if I set up a RODC in a different site with an own subnet do I have to replicate the machine-passwords with "samba-tool rodc reload host\$ --server=addc"? Or can a machine always authenticate against a RODC? Greetings Stefan -------------- next part -------------- A non-text attachment was scrubbed......

...user from Domain Admin group(maybe it works with other users too, but I didn't test it). Andrej Am 07.08.2018 um 17:00 schrieb Stefan Kania via samba: > When I start the replication from the other DC it works as you can see: > ------- > root at addc-01:~# samba-tool drs replicate rodc-01 addc-01 dc=example,dc=net > Replicate from addc-01 to rodc-01 was successful. > ------- > > Am 07.08.2018 um 15:26 schrieb Stefan Kania via samba: >> Hello, >> >> I just start testing the setup of an RODC with 4.8.3 (I use the packages >> from Louis). The join...

Hi Garming, > As far I know, all this should work as you would expect. Quite recently, > Andrew Bartlett and I went about testing some of the behaviour of the > KDC and confirming behaviour such as RODC ticket forwarding. thanks for the input. It gives me hope to dig deeper! I have some more time to spend on this issue today, I gonna try some more scenario. > The one thing to check would be whether or not Samba is being linked > against system Heimdal. As it stands, there is no real testi...

...t 2018 10:07:29 +1300 > > Garming Sam via samba <samba at lists.samba.org> wrote: > > > >> Hi, > >> > >> On 20/10/18 1:26 AM, Julien Ropé via samba wrote: > >>>  The deployment works, and computers seems to interact with the > >>> RODCs as they should, but sometimes computers leave the domain > >>> after a password change. > >>> > >>>  This seems to happen only on RODC where the passwords have been > >>> replicated - on one occasion the RODC was not set to store > >>> pa...

On Wed, 24 Jan 2024 15:54:38 +0100 Jakob Curdes via samba <samba at lists.samba.org> wrote: > Hello, we have setup a SAMBA4 RODC in our setup where we have two > exisitng RW Samba4 DC's. > > The RODC is joined correctly and can preload user accounts etc. It > also can resolve its own name and the name of other DC's, also the > SRV records needed. > We created an own site with specific subnet for t...

Hello, I just start testing the setup of an RODC with 4.8.3 (I use the packages from Louis). The join works fine. After a reboot of the rodc I can see all Objcts with: ldbsearch --url=/var/lib/samba/private/sam.ldb and all users and groups with: wbinfo -u wbinfo -g But as soon as I try to test the replication I got this message: ----------- roo...

...mba < > > samba at lists.samba.org> wrote: > > > > > On Sun, 5 May 2019 09:20:37 -0300 > > > Emerson Kfuri via samba <samba at lists.samba.org> wrote: > > > > > > > Hello, > > > > > > > > Recently I started using RODC servers on my environment and > > > > noticed a few issues with it: > > > > - lack of LDAP SPNs > > > > - "samba_dnsupdate" not working with "insufficient access > > > > rights" (it works from RWDCs) > > > > > > P...

Am 22.11.18 um 17:51 schrieb Rowland Penny via samba: > On Thu, 22 Nov 2018 17:29:16 +0100 > Stefan Kania via samba <samba at lists.samba.org> wrote: > >> Hello everybody, >> >> if I set up a RODC in a different site with an own subnet do I have to >> replicate the machine-passwords with "samba-tool rodc reload host\$ >> --server=addc"? Or can a machine always authenticate against a RODC? >> > > It is my understanding that an RODC never really does authenti...

Hi everyone, I would like to have some input on ressources access from a workstation logged on a RODC server that has to connect on hub site servers. After login in the remote windows workstation, I have LOGONSERVER environment variable set to the local RODC server (workstation and user credentials have been preloaded). Everything works fine on local server. However if I want to connect to cent...

Hi, I've tried replacing some 2012R2 RODC by samba-4.9.4 RODCs. One question about password replication: Samba wiki (https://wiki.samba.org/index.php/Join_a_domain_as_a_RODC) states that samba RODC acts as a proxy server to a writable DC if users are not member of the Allowed RODC Password Replication Group, which is the behavior we k...

Hello, Recently I started using RODC servers on my environment and noticed a few issues with it: - lack of LDAP SPNs - "samba_dnsupdate" not working with "insufficient access rights" (it works from RWDCs) - "samba-tool dbcheck" changes instancetype of basically all objects from 4 to 0. New replicated obje...

...s actually > happening. sorry to come back to you so late... It seems inded to be some kind of compilation issue like you suggested : I tried the pre-compiled sernet package (adding the python patch for user/machine preloading). Then my previous scenario (blocked_fw / kinit / smbclient -k -L rodc / clear_fw / smbclient -k -L srvads) worked liked a charm. However on the windows side, I still couldn't log on the rodc and I had the same windows error message as Michael Brown in his post [1] (even tough the AS_REQ/AS_REP was going fine, checked with log level= 9). Having no clue at all...

When I run "gpresult /R" on one of my domain users the ". . . following security groups" listed at the bottom of the output includes "Denied RODC Password Replication Group". Did a little web search digging and found that RODC stands for Read Only Domain Controller. My domain consists of two DC's and one member server with three W10 workstations. I have never had a RODC. Both DC's are Samba 4.10.5 (maybe 4.10.4?) running the...

Hello, we have setup a SAMBA4 RODC in our setup where we have two exisitng RW Samba4 DC's. The RODC is joined correctly and can preload user accounts etc. It also can resolve its own name and the name of other DC's, also the SRV records needed. We created an own site with specific subnet for this RODC "area"....

I'm preparing a lab to test the scenario in which a remote office uses a RODC to cache all users/computers/GPOs from a DC. I've set up a environment with all requirements (two subnets, one with a DC and the other with a RODC). I've joined the domain with a windows machine to the RODC subnet with both DCs being up. Using the windows tools (DSA), I've placed a use...

...019 at 9:52 AM Rowland Penny via samba < > samba at lists.samba.org> wrote: > > > On Sun, 5 May 2019 09:20:37 -0300 > > Emerson Kfuri via samba <samba at lists.samba.org> wrote: > > > > > Hello, > > > > > > Recently I started using RODC servers on my environment and > > > noticed a few issues with it: > > > - lack of LDAP SPNs > > > - "samba_dnsupdate" not working with "insufficient access > > > rights" (it works from RWDCs) > > > > Probably because you cannot w...