search for: rwdc

On Mon, 30 Dec 2024 16:07:31 +0000 Manzini Enrico via samba <samba at lists.samba.org> wrote: > Hi Rowland > We actually use RODC's because we have a customer with hub and spoke > configuration with 4 RWDC's in the central site, and about 80 remote > sites with RODC's deployed, all of these with low hardware security, > sites where the machine can physically can be stolen, Well, as I said, from my point of view, that is the only valid reason to deploy an RODC. > so we opted to &g...

Ok, but why if i browse the network from the client with the remote rodc and the rwdc used as replication partner for rodc join online, everything work as expected, but if i shutdown the rwdc used for rodc join replication partner offline, client no work anymore? The join command for the remote rodc RODC-1 is: samba-tool domain join scratch.lan RODC --server=dc-1.scratch.lan --re...

Hi Rowland We actually use RODC's because we have a customer with hub and spoke configuration with 4 RWDC's in the central site, and about 80 remote sites with RODC's deployed, all of these with low hardware security, sites where the machine can physically can be stolen, so we opted to use RODC's machines at the remote sites The connectivity and dns resolution works both fine, with or witho...

...e it atm. could you please develop on that RODC support? I am very curious to know what should be working and what should not. Actually I've been using RODC with partial success: RODC join, user and machine account preload (with corresponding patch), dns update throught netlogon service on RWDC, connexion when RWDC is disconnected. It has been running in production in our datacenter for webapp authentication for months, albeit with some hicups. I has never been completly fine from a stability and reproductibility point of view, and I switched it back to RWDC earlier this week.... Tha...

...wrote: > > > Hello, > > > > Recently I started using RODC servers on my environment and noticed a > > few issues with it: > > - lack of LDAP SPNs > > - "samba_dnsupdate" not working with "insufficient access rights" (it > > works from RWDCs) > > Probably because you cannot write to an RODC > Yes! That's the idea! But if these records are not automatically registered, means admin always have to add them manually. This should be documented so... > > > - "samba-tool dbcheck" changes instancetype of basi...

...nd > user credentials have been preloaded). Everything works fine on local > server. However if I want to connect to central office ressources, > kerberos auth does not work for central servers. > > According to MS docs [1], the RODC should forward the KRB_TGS_REQ to > the hub RWDC so that it can compute the corresponding service ticket > and send it back to the RODC which forwards it to the workstation. > > However it does not seem to happen in my case. I wanted to know if > someone had succeeded to make it work in such a scenario, and what I > may have don...

...al RODC server (workstation and user credentials have been preloaded). Everything works fine on local server. However if I want to connect to central office ressources, kerberos auth does not work for central servers. According to MS docs [1], the RODC should forward the KRB_TGS_REQ to the hub RWDC so that it can compute the corresponding service ticket and send it back to the RODC which forwards it to the workstation. However it does not seem to happen in my case. I wanted to know if someone had succeeded to make it work in such a scenario, and what I may have done wrong. Samba 4.1.16 o...

...t; think and there should be no heimdal inside. > > I'm going to check that kind of setup with sernet packages and see if > it gets any better. By the way, the issue can be reproduced on command > line on the rodc (in the excerpt below, rodc-nantes is the rodc, > srvads is the rwdc and everything works fine except this issue) : > > [root at rodc-nantes.tranq ~]# shorewall start > > [root at rodc-nantes.tranq ~]# kinit dcardon > Password for dcardon at TRANQUILIT.LOCAL: > > [root at rodc-nantes.tranq ~]# shorewall clear > > [root at rodc-nantes.tran...

...If we put back online that writable DC, everything goes > back to normal: single sign on works correctly and the windows client > can browse every server Do you have any suggestions? > Thank you for your help > > Enrico Manzini First, what is your reason to use an RODC instead of a RWDC ? If it isn't 'we are afraid the DC might be stolen', then I would give up on the RODC and install a RWDC. Your AD clients must be able to find their records, as do your users, this mean that, if the network is flaky, machine, user & group records will have to be replicated to the...

...c.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = AD1.LOCAL [realms] AD1.LOCAL = { default_domain = ad1.local #----- RODC --------- kdc = public.ad1.local:88 admin_server = public.ad1.local:749 #----- RWDC --------- #rwdc kdc = ad1.local:88 #rwdc admin_server = ad1.local:749 } [domain_realm] ad1.local = AD1.LOCAL -------------------------------------- /etc/samba/smb.conf -------------------------------------- [global] log file = /var/log/samba/log.%m...

I'm trying to join a RHEL 5 client to a Windows 2008 R2 AD, I've tried both Samba 3.6.6 and 4.0.2. When pointing the client to a RWDC(wegsfes19123) I'm able to successfully join the client: [root at vm-ae67a ~]# net ads join -U Administrator -d1 -Swegsfes19123 ... libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx out: struct libnet_JoinCtx account_name : NULL netbios_domain_na...

...MIT kerberos libraries I think and there should be no heimdal inside. I'm going to check that kind of setup with sernet packages and see if it gets any better. By the way, the issue can be reproduced on command line on the rodc (in the excerpt below, rodc-nantes is the rodc, srvads is the rwdc and everything works fine except this issue) : [root at rodc-nantes.tranq ~]# shorewall start [root at rodc-nantes.tranq ~]# kinit dcardon Password for dcardon at TRANQUILIT.LOCAL: [root at rodc-nantes.tranq ~]# shorewall clear [root at rodc-nantes.tranq ~]# klist Ticket cache: FILE:/tmp/krb5c...

Hello, Recently I started using RODC servers on my environment and noticed a few issues with it: - lack of LDAP SPNs - "samba_dnsupdate" not working with "insufficient access rights" (it works from RWDCs) - "samba-tool dbcheck" changes instancetype of basically all objects from 4 to 0. New replicated objects continues being created with instancetype 4 and dbcheck continues to change them - "samba-tool drs showrepl" exiting with WERR_DS_DRA_ACCESS_DENIED - "samba-tool domai...

...hould be no heimdal inside. >> >> I'm going to check that kind of setup with sernet packages and see if >> it gets any better. By the way, the issue can be reproduced on >> command line on the rodc (in the excerpt below, rodc-nantes is the >> rodc, srvads is the rwdc and everything works fine except this issue) : >> >> [root at rodc-nantes.tranq ~]# shorewall start >> >> [root at rodc-nantes.tranq ~]# kinit dcardon >> Password for dcardon at TRANQUILIT.LOCAL: >> >> [root at rodc-nantes.tranq ~]# shorewall clear >&gt...

...gt; > > > > > Recently I started using RODC servers on my environment and > > > noticed a few issues with it: > > > - lack of LDAP SPNs > > > - "samba_dnsupdate" not working with "insufficient access > > > rights" (it works from RWDCs) > > > > Probably because you cannot write to an RODC > > > > Yes! That's the idea! But if these records are not automatically > registered, means admin always have to add them manually. This should > be documented so... In the Samba world, working RODC'...

...onments requiring no writable > > behaviour. > > > > This seems to suggest that using an RODC is no longer experimental > > and can be using in production. > > > > However, if there isn't the structure in place to forward all write > > operations to an RWDC, then how can it be used in production ? > > As far as I remember, change passwords initiated by machines shouldn't > have unjoined the domain (but passwords could fail to rotate). Most of > the write operations just come across as LDAP referrals, so it's > generally the cli...

On Tue, 31 Dec 2024 09:42:05 +0000 Manzini Enrico via samba <samba at lists.samba.org> wrote: > Ok, but why if i browse the network from the client with the remote > rodc and the rwdc used as replication partner for rodc join online, > everything work as expected, but if i shutdown the rwdc used for rodc > join replication partner offline, client no work anymore? > Possibly because the RODC is hard wired to use its replication partner for passwords ? Is dns setup co...

...> This is the first time we have used a RODC; our choice was more of a > security-oriented one. The remote site should have about 30 servers, When you say '30 servers' is this 30 servers plus clients, or 30 servers including clients ? if the former, then I suggest you upgrade to an RWDC. > and we consider the connection to be sufficiently reliable and > redundant. It is possible since there was some moment of > disconnection between the various domain controllers while we were > fixing the firewalling rules but not prolonged for hours. The problem with an RODC is tha...

...time we have used a RODC; our choice was more of a >> security-oriented one. The remote site should have about 30 servers, > > When you say '30 servers' is this 30 servers plus clients, or 30 > servers including clients ? if the former, then I suggest you upgrade > to an RWDC. Only the servers some of them are application servers therefore they will become clients of the samba servers. But most of the clients will remain in the main site. > The problem with an RODC is that it cannot change anything, any changes > have to be sent to another RWDC and then replicat...

Hello everybody, if I set up a RODC in a different site with an own subnet do I have to replicate the machine-passwords with "samba-tool rodc reload host\$ --server=addc"? Or can a machine always authenticate against a RODC? Greetings Stefan -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195