[Samba] Can SAMBA work with 2008 R2 Read Only Domain controller

Jason Haar Jason.Haar at trimble.co.nz
Thu Jul 1 22:36:14 MDT 2010

 This is a "me too". We just installed a new CentOS server (running
self-compiled samba-3.5.4 from samba.org) into a remote site that only
has a RODC and although the domain join appeared to work fine, every few
hours it "drops off" the domain.


"net ads join" worked
"net ads testjoin" worked

but then hours later "net ads testjoin" returns "Failed to join domain:
failed to connect to AD: Decrypt integrity check failed Ok"

Strangely enough, if I then do

net ads testjoin -S real.remote.dc

that works just fine. Even stranger, immediately doing "net ads
testjoin" starts working again - for a few hours

It looks like the RODC (I know this error occurs with the RODC - "-d9"
shows it) is returning some kind of unexpected errocode when objects
aren't in its cache - and Samba freaks?

Note to Serge: I think hagai is - like me - referring to Samba as a
domain member - not as a domain controller.


On 06/07/2010 03:19 AM, Serge Fonville wrote:
> Hi,
> Have you read http://wiki.samba.org/index.php/Samba4_joining_a_domain ?
> # Samba4 joining a domain as a RODC
> Regards,
> Serge Fonville
> On Sun, Jun 6, 2010 at 5:12 PM, hagai yaffe <hagaiy at yahoo.com> wrote:
>> Hello,
>> We are planing to utilize Microsoft 2008 R2 Read Only Domain controller, and deploy RODC's in branches.
>> If I would like to have SAMBA servers in those branches, will I be able to add them to the domain (using "net ads join") and work with them, when using the RODC's as domain controllers configured in my smb.conf & krb5.conf?
>> I have looked around and did not find any documentation for SAMBA supporting / not supporting this.
>> I have done some testing and failed (I got "Failed to join domain: failed to connect to AD: Decrypt integrity check failed Ok" from the "net ads join" command), before investing more time in troubleshooting I hoped that someone could assist and tell me if such a configuration is possible.
>> If this is not possible, it would be great to know why.
>> Best Regards,
>> Hagai
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the samba mailing list