Displaying 20 results from an estimated 87 matches for "rwdc".
Did you mean:
rdc
2015 Apr 09
2
Migration of 2 samba3 PDC+OpenLDAP in one new Samba4 AD
...e it atm.
could you please develop on that RODC support? I am very curious to know
what should be working and what should not.
Actually I've been using RODC with partial success: RODC join, user and
machine account preload (with corresponding patch), dns update throught
netlogon service on RWDC, connexion when RWDC is disconnected. It has
been running in production in our datacenter for webapp authentication
for months, albeit with some hicups. I has never been completly fine
from a stability and reproductibility point of view, and I switched it
back to RWDC earlier this week....
Tha...
2019 May 05
2
Issues with RODC
...wrote:
>
> > Hello,
> >
> > Recently I started using RODC servers on my environment and noticed a
> > few issues with it:
> > - lack of LDAP SPNs
> > - "samba_dnsupdate" not working with "insufficient access rights" (it
> > works from RWDCs)
>
> Probably because you cannot write to an RODC
>
Yes! That's the idea! But if these records are not automatically
registered, means admin always have to add them manually. This should be
documented so...
>
> > - "samba-tool dbcheck" changes instancetype of basi...
2015 Feb 10
0
rodc and KRB_TGS_REQ forwarding to RWDC to access hub ressources
...nd
> user credentials have been preloaded). Everything works fine on local
> server. However if I want to connect to central office ressources,
> kerberos auth does not work for central servers.
>
> According to MS docs [1], the RODC should forward the KRB_TGS_REQ to
> the hub RWDC so that it can compute the corresponding service ticket
> and send it back to the RODC which forwards it to the workstation.
>
> However it does not seem to happen in my case. I wanted to know if
> someone had succeeded to make it work in such a scenario, and what I
> may have don...
2015 Feb 10
2
rodc and KRB_TGS_REQ forwarding to RWDC to access hub ressources
...al RODC server (workstation and user
credentials have been preloaded). Everything works fine on local server.
However if I want to connect to central office ressources, kerberos auth
does not work for central servers.
According to MS docs [1], the RODC should forward the KRB_TGS_REQ to the
hub RWDC so that it can compute the corresponding service ticket and
send it back to the RODC which forwards it to the workstation.
However it does not seem to happen in my case. I wanted to know if
someone had succeeded to make it work in such a scenario, and what I may
have done wrong.
Samba 4.1.16 o...
2015 Feb 16
0
rodc and KRB_TGS_REQ forwarding to RWDC to access hub ressources
...t; think and there should be no heimdal inside.
>
> I'm going to check that kind of setup with sernet packages and see if
> it gets any better. By the way, the issue can be reproduced on command
> line on the rodc (in the excerpt below, rodc-nantes is the rodc,
> srvads is the rwdc and everything works fine except this issue) :
>
> [root at rodc-nantes.tranq ~]# shorewall start
>
> [root at rodc-nantes.tranq ~]# kinit dcardon
> Password for dcardon at TRANQUILIT.LOCAL:
>
> [root at rodc-nantes.tranq ~]# shorewall clear
>
> [root at rodc-nantes.tran...
2014 Jan 11
2
Access denied using IP when joined in MS domain with RODC
...c.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = AD1.LOCAL
[realms]
AD1.LOCAL = {
default_domain = ad1.local
#----- RODC ---------
kdc = public.ad1.local:88
admin_server = public.ad1.local:749
#----- RWDC ---------
#rwdc kdc = ad1.local:88
#rwdc admin_server = ad1.local:749
}
[domain_realm]
ad1.local = AD1.LOCAL
--------------------------------------
/etc/samba/smb.conf
--------------------------------------
[global]
log file = /var/log/samba/log.%m...
2013 Feb 04
1
Able to join Samba client as MEMBER server to Windows 2008 R2 RWDC but not to RODC
I'm trying to join a RHEL 5 client to a Windows 2008 R2 AD, I've tried both
Samba 3.6.6 and 4.0.2. When pointing the client to a RWDC(wegsfes19123) I'm
able to successfully join the client:
[root at vm-ae67a ~]# net ads join -U Administrator -d1 -Swegsfes19123
...
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_na...
2015 Feb 16
2
rodc and KRB_TGS_REQ forwarding to RWDC to access hub ressources
...MIT kerberos libraries I think
and there should be no heimdal inside.
I'm going to check that kind of setup with sernet packages and see if it
gets any better. By the way, the issue can be reproduced on command line
on the rodc (in the excerpt below, rodc-nantes is the rodc, srvads is
the rwdc and everything works fine except this issue) :
[root at rodc-nantes.tranq ~]# shorewall start
[root at rodc-nantes.tranq ~]# kinit dcardon
Password for dcardon at TRANQUILIT.LOCAL:
[root at rodc-nantes.tranq ~]# shorewall clear
[root at rodc-nantes.tranq ~]# klist
Ticket cache: FILE:/tmp/krb5c...
2019 May 05
2
Issues with RODC
Hello,
Recently I started using RODC servers on my environment and noticed a few
issues with it:
- lack of LDAP SPNs
- "samba_dnsupdate" not working with "insufficient access rights" (it works
from RWDCs)
- "samba-tool dbcheck" changes instancetype of basically all objects from 4
to 0. New replicated objects continues being created with instancetype 4
and dbcheck continues to change them
- "samba-tool drs showrepl" exiting with WERR_DS_DRA_ACCESS_DENIED
- "samba-tool domai...
2015 Feb 22
1
rodc and KRB_TGS_REQ forwarding to RWDC to access hub ressources
...hould be no heimdal inside.
>>
>> I'm going to check that kind of setup with sernet packages and see if
>> it gets any better. By the way, the issue can be reproduced on
>> command line on the rodc (in the excerpt below, rodc-nantes is the
>> rodc, srvads is the rwdc and everything works fine except this issue) :
>>
>> [root at rodc-nantes.tranq ~]# shorewall start
>>
>> [root at rodc-nantes.tranq ~]# kinit dcardon
>> Password for dcardon at TRANQUILIT.LOCAL:
>>
>> [root at rodc-nantes.tranq ~]# shorewall clear
>>...
2019 May 05
0
Issues with RODC
...gt; > >
> > > Recently I started using RODC servers on my environment and
> > > noticed a few issues with it:
> > > - lack of LDAP SPNs
> > > - "samba_dnsupdate" not working with "insufficient access
> > > rights" (it works from RWDCs)
> >
> > Probably because you cannot write to an RODC
> >
>
> Yes! That's the idea! But if these records are not automatically
> registered, means admin always have to add them manually. This should
> be documented so...
In the Samba world, working RODC'...
2018 Oct 23
1
Samba 4.7+ - RODC and password change support
...onments requiring no writable
> > behaviour.
> >
> > This seems to suggest that using an RODC is no longer experimental
> > and can be using in production.
> >
> > However, if there isn't the structure in place to forward all write
> > operations to an RWDC, then how can it be used in production ?
>
> As far as I remember, change passwords initiated by machines shouldn't
> have unjoined the domain (but passwords could fail to rotate). Most of
> the write operations just come across as LDAP referrals, so it's
> generally the cli...
2018 Nov 22
2
machine account on RODC
Hello everybody,
if I set up a RODC in a different site with an own subnet do I have to
replicate the machine-passwords with "samba-tool rodc reload host\$
--server=addc"? Or can a machine always authenticate against a RODC?
Greetings
Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195
2019 May 05
2
Issues with RODC
...gt; > Recently I started using RODC servers on my environment and
> > > > noticed a few issues with it:
> > > > - lack of LDAP SPNs
> > > > - "samba_dnsupdate" not working with "insufficient access
> > > > rights" (it works from RWDCs)
> > >
> > > Probably because you cannot write to an RODC
> > >
> >
> > Yes! That's the idea! But if these records are not automatically
> > registered, means admin always have to add them manually. This should
> > be documented so...
>
>...
2015 Apr 09
0
Migration of 2 samba3 PDC+OpenLDAP in one new Samba4 AD
...please develop on that RODC support? I am very curious to know
> what should be working and what should not.
>
> Actually I've been using RODC with partial success: RODC join, user and
> machine account preload (with corresponding patch), dns update throught
> netlogon service on RWDC, connexion when RWDC is disconnected. It has
> been running in production in our datacenter for webapp authentication
> for months, albeit with some hicups. I has never been completly fine
> from a stability and reproductibility point of view, and I switched it
> back to RWDC earlier th...
2018 Nov 22
1
machine account on RODC
...an own subnet do I have to
>> replicate the machine-passwords with "samba-tool rodc reload host\$
>> --server=addc"? Or can a machine always authenticate against a RODC?
>>
>
> It is my understanding that an RODC never really does authentication
> like a normal RWDC. When authentication is asked for, the RODC first
> checks its cache and if the required data is cached, authentication is
> granted. If it isn't cached, an RWDC is queried which authenticates
> the request, if appropriate, and the RODC then, if configured to do
> so, asks for the p...
2018 Dec 07
1
Samba4 Kerberos Authentication Error
...office. While I have no issue making one of
>> the file servers also function as a backup DC, I really don't
>> want to add yet another server to the mix to handle a single
>> role.
>
> I know Windows sysadmins refer to DC's via various different names, but
> AD RWDC's are all the same apart from the FSMO roles and they can be on
> any DC.
>
> If resources are limited, you can use a DC as a fileserver, you just
> have to be aware of the limitations.
>
> Rowland
>
I'm newbie lost with the terminology :)
Currently I have two serv...
2018 Oct 23
3
Samba 4.7+ - RODC and password change support
...e critical bugs have been fixed and the
RODC can be used in DC environments requiring no writable behaviour.
This seems to suggest that using an RODC is no longer experimental and
can be using in production.
However, if there isn't the structure in place to forward all write
operations to an RWDC, then how can it be used in production ?
Rowland
2015 Mar 16
2
Joining a samba member server using offline join or a RODC
Hi,
I would like to join a samba 4.2.0 file server sitting in a branch
office, with connection only to a RODC (and only the RODC can talk to
the RWDC). Was wondering what's the workflow for doing this in samba.
For Windows machines, Microsoft seems to have planned two workflows for this:
1. Use new flag to NetJoinDomain() API to join using the RODC
(https://technet.microsoft.com/en-us/library/dd728035%28v=ws.10%29.aspx#run_join_script).
W...
2019 Mar 29
2
Is RODC password replication different from the windows version by design or is it a bug?
...;>
>
> Yes it should and there is a bug report for something similar already,
> see here: https://bugzilla.samba.org/show_bug.cgi?id=13377
>
> I know that is for members of the denied group, but the substance is
> the same, users are not getting authenticated on a RODC from a RWDC.
>
> Can you please add to that bug report ?
>
> Rowland
>
>
Thanks Rowland, that's exactly the topic. Garming Sam has commented it
yesterday, the issue is that kerberos forwarding isn't implemented for
now. That is exactly what wee seeing, authentication works __af...