search for: rwdc

...e it atm. could you please develop on that RODC support? I am very curious to know what should be working and what should not. Actually I've been using RODC with partial success: RODC join, user and machine account preload (with corresponding patch), dns update throught netlogon service on RWDC, connexion when RWDC is disconnected. It has been running in production in our datacenter for webapp authentication for months, albeit with some hicups. I has never been completly fine from a stability and reproductibility point of view, and I switched it back to RWDC earlier this week.... Tha...

...wrote: > > > Hello, > > > > Recently I started using RODC servers on my environment and noticed a > > few issues with it: > > - lack of LDAP SPNs > > - "samba_dnsupdate" not working with "insufficient access rights" (it > > works from RWDCs) > > Probably because you cannot write to an RODC > Yes! That's the idea! But if these records are not automatically registered, means admin always have to add them manually. This should be documented so... > > > - "samba-tool dbcheck" changes instancetype of basi...

...nd > user credentials have been preloaded). Everything works fine on local > server. However if I want to connect to central office ressources, > kerberos auth does not work for central servers. > > According to MS docs [1], the RODC should forward the KRB_TGS_REQ to > the hub RWDC so that it can compute the corresponding service ticket > and send it back to the RODC which forwards it to the workstation. > > However it does not seem to happen in my case. I wanted to know if > someone had succeeded to make it work in such a scenario, and what I > may have don...

...al RODC server (workstation and user credentials have been preloaded). Everything works fine on local server. However if I want to connect to central office ressources, kerberos auth does not work for central servers. According to MS docs [1], the RODC should forward the KRB_TGS_REQ to the hub RWDC so that it can compute the corresponding service ticket and send it back to the RODC which forwards it to the workstation. However it does not seem to happen in my case. I wanted to know if someone had succeeded to make it work in such a scenario, and what I may have done wrong. Samba 4.1.16 o...

...t; think and there should be no heimdal inside. > > I'm going to check that kind of setup with sernet packages and see if > it gets any better. By the way, the issue can be reproduced on command > line on the rodc (in the excerpt below, rodc-nantes is the rodc, > srvads is the rwdc and everything works fine except this issue) : > > [root at rodc-nantes.tranq ~]# shorewall start > > [root at rodc-nantes.tranq ~]# kinit dcardon > Password for dcardon at TRANQUILIT.LOCAL: > > [root at rodc-nantes.tranq ~]# shorewall clear > > [root at rodc-nantes.tran...

...c.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = AD1.LOCAL [realms] AD1.LOCAL = { default_domain = ad1.local #----- RODC --------- kdc = public.ad1.local:88 admin_server = public.ad1.local:749 #----- RWDC --------- #rwdc kdc = ad1.local:88 #rwdc admin_server = ad1.local:749 } [domain_realm] ad1.local = AD1.LOCAL -------------------------------------- /etc/samba/smb.conf -------------------------------------- [global] log file = /var/log/samba/log.%m...

I'm trying to join a RHEL 5 client to a Windows 2008 R2 AD, I've tried both Samba 3.6.6 and 4.0.2. When pointing the client to a RWDC(wegsfes19123) I'm able to successfully join the client: [root at vm-ae67a ~]# net ads join -U Administrator -d1 -Swegsfes19123 ... libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx out: struct libnet_JoinCtx account_name : NULL netbios_domain_na...

...MIT kerberos libraries I think and there should be no heimdal inside. I'm going to check that kind of setup with sernet packages and see if it gets any better. By the way, the issue can be reproduced on command line on the rodc (in the excerpt below, rodc-nantes is the rodc, srvads is the rwdc and everything works fine except this issue) : [root at rodc-nantes.tranq ~]# shorewall start [root at rodc-nantes.tranq ~]# kinit dcardon Password for dcardon at TRANQUILIT.LOCAL: [root at rodc-nantes.tranq ~]# shorewall clear [root at rodc-nantes.tranq ~]# klist Ticket cache: FILE:/tmp/krb5c...

Hello, Recently I started using RODC servers on my environment and noticed a few issues with it: - lack of LDAP SPNs - "samba_dnsupdate" not working with "insufficient access rights" (it works from RWDCs) - "samba-tool dbcheck" changes instancetype of basically all objects from 4 to 0. New replicated objects continues being created with instancetype 4 and dbcheck continues to change them - "samba-tool drs showrepl" exiting with WERR_DS_DRA_ACCESS_DENIED - "samba-tool domai...

...hould be no heimdal inside. >> >> I'm going to check that kind of setup with sernet packages and see if >> it gets any better. By the way, the issue can be reproduced on >> command line on the rodc (in the excerpt below, rodc-nantes is the >> rodc, srvads is the rwdc and everything works fine except this issue) : >> >> [root at rodc-nantes.tranq ~]# shorewall start >> >> [root at rodc-nantes.tranq ~]# kinit dcardon >> Password for dcardon at TRANQUILIT.LOCAL: >> >> [root at rodc-nantes.tranq ~]# shorewall clear >&gt...

...gt; > > > > > Recently I started using RODC servers on my environment and > > > noticed a few issues with it: > > > - lack of LDAP SPNs > > > - "samba_dnsupdate" not working with "insufficient access > > > rights" (it works from RWDCs) > > > > Probably because you cannot write to an RODC > > > > Yes! That's the idea! But if these records are not automatically > registered, means admin always have to add them manually. This should > be documented so... In the Samba world, working RODC'...

...onments requiring no writable > > behaviour. > > > > This seems to suggest that using an RODC is no longer experimental > > and can be using in production. > > > > However, if there isn't the structure in place to forward all write > > operations to an RWDC, then how can it be used in production ? > > As far as I remember, change passwords initiated by machines shouldn't > have unjoined the domain (but passwords could fail to rotate). Most of > the write operations just come across as LDAP referrals, so it's > generally the cli...

Hello everybody, if I set up a RODC in a different site with an own subnet do I have to replicate the machine-passwords with "samba-tool rodc reload host\$ --server=addc"? Or can a machine always authenticate against a RODC? Greetings Stefan -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195

...gt; > Recently I started using RODC servers on my environment and > > > > noticed a few issues with it: > > > > - lack of LDAP SPNs > > > > - "samba_dnsupdate" not working with "insufficient access > > > > rights" (it works from RWDCs) > > > > > > Probably because you cannot write to an RODC > > > > > > > Yes! That's the idea! But if these records are not automatically > > registered, means admin always have to add them manually. This should > > be documented so... > &gt...

...please develop on that RODC support? I am very curious to know > what should be working and what should not. > > Actually I've been using RODC with partial success: RODC join, user and > machine account preload (with corresponding patch), dns update throught > netlogon service on RWDC, connexion when RWDC is disconnected. It has > been running in production in our datacenter for webapp authentication > for months, albeit with some hicups. I has never been completly fine > from a stability and reproductibility point of view, and I switched it > back to RWDC earlier th...

...an own subnet do I have to >> replicate the machine-passwords with "samba-tool rodc reload host\$ >> --server=addc"? Or can a machine always authenticate against a RODC? >> > > It is my understanding that an RODC never really does authentication > like a normal RWDC. When authentication is asked for, the RODC first > checks its cache and if the required data is cached, authentication is > granted. If it isn't cached, an RWDC is queried which authenticates > the request, if appropriate, and the RODC then, if configured to do > so, asks for the p...

...office. While I have no issue making one of >> the file servers also function as a backup DC, I really don't >> want to add yet another server to the mix to handle a single >> role. > > I know Windows sysadmins refer to DC's via various different names, but > AD RWDC's are all the same apart from the FSMO roles and they can be on > any DC. > > If resources are limited, you can use a DC as a fileserver, you just > have to be aware of the limitations. > > Rowland > I'm newbie lost with the terminology :) Currently I have two serv...

...e critical bugs have been fixed and the RODC can be used in DC environments requiring no writable behaviour. This seems to suggest that using an RODC is no longer experimental and can be using in production. However, if there isn't the structure in place to forward all write operations to an RWDC, then how can it be used in production ? Rowland

Hi, I would like to join a samba 4.2.0 file server sitting in a branch office, with connection only to a RODC (and only the RODC can talk to the RWDC). Was wondering what's the workflow for doing this in samba. For Windows machines, Microsoft seems to have planned two workflows for this: 1. Use new flag to NetJoinDomain() API to join using the RODC (https://technet.microsoft.com/en-us/library/dd728035%28v=ws.10%29.aspx#run_join_script). W...

...;> > > Yes it should and there is a bug report for something similar already, > see here: https://bugzilla.samba.org/show_bug.cgi?id=13377 > > I know that is for members of the denied group, but the substance is > the same, users are not getting authenticated on a RODC from a RWDC. > > Can you please add to that bug report ? > > Rowland > > Thanks Rowland, that's exactly the topic. Garming Sam has commented it yesterday, the issue is that kerberos forwarding isn't implemented for now. That is exactly what wee seeing, authentication works __af...