[Samba] RODC and LDAP via Simple Authentication fails
Johannes Engel
jcnengel+samba at gmail.com
Mon Jan 22 20:33:11 UTC 2018
Hi Rowland,
thanks a lot for the hint. I will read through this.
Best regards
Johannes
Am 22.01.2018 um 21:22 schrieb Rowland Penny:
> On Mon, 22 Jan 2018 20:36:04 +0100
> Johannes Engel via samba <samba at lists.samba.org> wrote:
>
>> Dear all,
>>
>> setting up a DMZ environment I was thinking to use an RODC there for
>> user authentication. One of the application in the DMZ needs to access
>> the directory via LDAP.
>>
>> When I tried to connect to the RODC using LDAP with simple bind, I
>> always received the following error
>>
>> ldap_bind: Invalid credentials (49)
>> additional info: 80090308: LdapErr: DSID-0C0903A9, comment:
>> AcceptSecurityContext error, data 6fa, v1db1
>>
>> even though the credentials used are correct and do work with the
>> "normal" DCs.
>>
>> I have already added the corresponding user to the group "Allowed RODC
>> Password Replication Group", but that did not change anything...
>>
>> Authentication through Kerberos seems to work, but is not an option
>> for the application, unfortunately.
>>
>> Did I miss anything that prevents my scenario to work by design?
>> Thanks a lot for your help!
>>
>> Best regards
>> Johannes
>>
>>
> I wouldn't do this, the DC (RODC or otherwise) would have to be a
> global catalogue. Try reading this:
>
> https://www.techrepublic.com/article/solutionbase-deploying-domain-controllers-in-a-dmz/
>
> In short, you need to setup a domain in the DMZ and then setup a trust
> between this domain and your other domain.
>
> Rowland
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 512 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20180122/db3580b8/signature.sig>
More information about the samba
mailing list