[Samba] rodc and KRB_TGS_REQ forwarding to RWDC to access hub ressources

Denis Cardon denis.cardon at tranquil-it-systems.fr
Tue Feb 10 13:54:39 MST 2015

Hi everyone,

I would like to have some input on ressources access from a workstation 
logged on a RODC server that has to connect on hub site servers.

After login in the remote windows workstation, I have LOGONSERVER 
environment variable set to the local RODC server (workstation and user 
credentials have been preloaded). Everything works fine on local server. 
However if I want to connect to central office ressources, kerberos auth 
does not work for central servers.

According to MS docs [1], the RODC should forward the KRB_TGS_REQ to the 
hub RWDC so that it can compute the corresponding service ticket and 
send it back to the RODC which forwards it to the workstation.

However it does not seem to happen in my case. I wanted to know if 
someone had succeeded to make it work in such a scenario, and what I may 
have done wrong.

Samba 4.1.16 on both sites with rodc preload patches and no firewall 
inbetween (except temporarily when I want to force login on the rodc, 
then iptables clear).



paragraph "BobKelly accesses a resource on a server in a different site"

Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0)

More information about the samba mailing list