s4-drs: Working on Support RODC

Fernando J V da Silva fernandojvsilva at yahoo.com.br
Wed Feb 10 10:44:36 MST 2010


Hi! Thanks Nadya!

Hi Anatoliy! Is there something that I could do for helping on
"Support RODC" development?

Regards,

-- 
Fernando J V da Silva
M Sc Computer Science Student
Institute of Computing, State University of Campinas
+55 15 8801-2165



2010/2/10 Nadezhda Ivanova <nivanova at samba.org>:
> Hi,
> Anatoliy is already working in this one, You can write to him to see how you
> can cooperate.
>
> Regards,
> Nadya
>
> On Wed, Feb 10, 2010 at 7:26 PM, Fernando J V da Silva
> <fernandojvsilva at yahoo.com.br> wrote:
>>
>> Hi!
>>
>> I'm thinking about contribute to "Support RODC" (mentioned at DRS ToDo
>> List). Is there anybody already working on it? Is there any advice
>> related to which task should I start?
>>
>> > Support RODC
>> > A RODC (read-only domain controller) is a potentially very useful use
>> > case for Samba4. There is quite a lot of changes in replication and
>> > attribute filtering > that should be done when we are a RODC.
>> > Tasks:
>> > - Modify the provision script to mimic the dcpromo to RODC operations
>>
>> Is there any documentation where I could look at for checking what
>> exactly should be done on provision when it is a RODC?
>>
>> > - Support for the RODC filtered attribute set
>> > - Implement marking an attribute as confidential.
>>
>> I'm thinking about create a separate function at dsdb/common/util.c
>> for each of the above two tasks ... Then perhaps create other
>> functions to access those ones from python and perhaps use some tool
>> (ldbadd, ldbmodify ... ?) to allow users for creating RODC filtered
>> attrs or marking attrs as confidential ...
>>
>> > - Create the RODC default filtered attribute set:
>>
>> Should that RODC default filtered attribute set be created during
>> provision? If not, where exactly should they be created?
>>
>>
>> > - Mark as confidential any attributes that you configure as part of the
>> > RODC filtered attribute set.
>> > - Support Administrator role separation - delegate the local
>> > administrator of an RODC to domain user or security group without granting
>> > that user or group > any rights for the domain or other domain controllers.
>> > - Unidirectional replication - allow only inbound replication
>> > - Read-only database - LDAP clients that want to perform a write
>> > operation are referred to a writable domain controller in the hub site.
>> > - Credential caching - By default, an RODC does not store account
>> > credentials, except for its own computer account and a special krbtgt
>> > account for that
>> > RODC. You must explicitly allow any other credentials to be cached on
>> > that RODC, including the appropriate user, computer, and service accounts,
>> > to
>> > allow the RODC to satisfy authentication and service ticket requests
>> > locally.
>>
>>
>> I'll be glad for any help! :-)
>>
>>
>> --
>> Fernando J V da Silva
>> M Sc Computer Science Student
>> Institute of Computing, State University of Campinas
>> +55 15 8801-2165
>
>


More information about the samba-technical mailing list