Samba v4 RODC status

Andreas Calvo flipy.bcn at gmail.com
Thu Aug 1 04:31:22 MDT 2013 

I've trying to set up a RODC on an lab environment, simulating an isolated
branch office with poor WAN connection.

As for the set up, everything is virtualized and two separate virtual
networks have been used.

Joining a samba RODC to an existing samba domain works fine.
All schemas are transferred and the samba instance is joined and listed
successfully as an RODC.

But, when trying to prepopulate -- in samba, preload -- the user and
computer accounts, it fails on the latter complaining about a transaction
not finished on a TDB file.
It seems that the preload script is only focused on users, not computers.

Moreover, listing cached credentials on the RODC gives no result in the
samba environment and the prepopulate command fails.
Trying to log into a computer where the DC is not available, still shows
the logon server as the DC because it might be a cached session on the
local computer.

Performing the same password cached listing action on a windows RODC shows
two default entries: a kerberos ticket and the RODC account. And the
prepopulate command allows to cache the computer and user accounts.
If a user logs into a computer when the DC is not available, the system
shows the RODC as the logon server.
It might be related to a missing RPC call to retrieve cached accounts on
the RODC.

I've tried to create a site and a subnet, and change the NextClosestSite
registry setting on the local computer to try to use the most closest DC,
but it gives an "internal error" when the DC is not available.

As for the DNS entries, querying the main GC only shows the primary DC on
both scenarios.

As a result, having a samba RODC ends up with users not able to log into
the computer if they are already part of the "Allowed RODC Password
Replication Group", as it shows an "internal error" on the logon screen.

On the RODC wiki page, it seems that everything is almost done -- apart
from the sysvol replication, but that's not only related with an RODC.

I have a couple of questions that may light up the problem, like:
- is any DNS change necessary?
- should the computer account be preloaded? (now it's just in the password
replication settings of the RODC)
- is it necessary to perform any change in the RODC to be listed as a valid
DC?
- is it necessary to change anything on the local computers?
- will it help to use sites and assign subnets?
- how should the GPOs (sysvol) be transferred? rsync is enough?
- is there any test in the source code that performs all this steps and can
be emulated? (just found one under wintest but it is not the expected
scenario)

Thanks!

More information about the samba-technical mailing list