[Samba] rodc and KRB_TGS_REQ forwarding to RWDC to access hub ressources

Garming Sam garming at catalyst.net.nz
Tue Feb 10 15:19:49 MST 2015


As far I know, all this should work as you would expect. Quite recently, 
Andrew Bartlett and I went about testing some of the behaviour of the 
KDC and confirming behaviour such as RODC ticket forwarding.

The one thing to check would be whether or not Samba is being linked 
against system Heimdal. As it stands, there is no real testing of Samba 
using system Heimdal and from the testing we've done, there are almost 
certainly oddities and unexpected failures with this setup - this included.


Garming Sam

On 11/02/15 09:54, Denis Cardon wrote:
> Hi everyone,
> I would like to have some input on ressources access from a 
> workstation logged on a RODC server that has to connect on hub site 
> servers.
> After login in the remote windows workstation, I have LOGONSERVER 
> environment variable set to the local RODC server (workstation and 
> user credentials have been preloaded). Everything works fine on local 
> server. However if I want to connect to central office ressources, 
> kerberos auth does not work for central servers.
> According to MS docs [1], the RODC should forward the KRB_TGS_REQ to 
> the hub RWDC so that it can compute the corresponding service ticket 
> and send it back to the RODC which forwards it to the workstation.
> However it does not seem to happen in my case. I wanted to know if 
> someone had succeeded to make it work in such a scenario, and what I 
> may have done wrong.
> Samba 4.1.16 on both sites with rodc preload patches and no firewall 
> inbetween (except temporarily when I want to force login on the rodc, 
> then iptables clear).
> Thanks,
> Denis
> [1] 
> https://technet.microsoft.com/en-us/library/cc754218(WS.10).aspx#BKMK_AuthRODC
> paragraph "BobKelly accesses a resource on a server in a different site"

More information about the samba mailing list