[Samba] rodc and KRB_TGS_REQ forwarding to RWDC to access hub ressources
Denis Cardon
denis.cardon at tranquil-it-systems.fr
Tue Feb 10 13:54:39 MST 2015
Hi everyone,
I would like to have some input on ressources access from a workstation
logged on a RODC server that has to connect on hub site servers.
After login in the remote windows workstation, I have LOGONSERVER
environment variable set to the local RODC server (workstation and user
credentials have been preloaded). Everything works fine on local server.
However if I want to connect to central office ressources, kerberos auth
does not work for central servers.
According to MS docs [1], the RODC should forward the KRB_TGS_REQ to the
hub RWDC so that it can compute the corresponding service ticket and
send it back to the RODC which forwards it to the workstation.
However it does not seem to happen in my case. I wanted to know if
someone had succeeded to make it work in such a scenario, and what I may
have done wrong.
Samba 4.1.16 on both sites with rodc preload patches and no firewall
inbetween (except temporarily when I want to force login on the rodc,
then iptables clear).
Thanks,
Denis
[1]
https://technet.microsoft.com/en-us/library/cc754218(WS.10).aspx#BKMK_AuthRODC
paragraph "BobKelly accesses a resource on a server in a different site"
--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr
More information about the samba
mailing list