[Samba] RODC and LDAP via Simple Authentication fails

Johannes Engel jcnengel+samba at gmail.com
Mon Jan 22 20:33:11 UTC 2018

Hi Rowland,

thanks a lot for the hint. I will read through this.

Best regards

Am 22.01.2018 um 21:22 schrieb Rowland Penny:
> On Mon, 22 Jan 2018 20:36:04 +0100
> Johannes Engel via samba <samba at lists.samba.org> wrote:
>> Dear all,
>> setting up a DMZ environment I was thinking to use an RODC there for
>> user authentication. One of the application in the DMZ needs to access
>> the directory via LDAP.
>> When I tried to connect to the RODC using LDAP with simple bind, I
>> always received the following error
>> ldap_bind: Invalid credentials (49)
>>         additional info: 80090308: LdapErr: DSID-0C0903A9, comment:
>> AcceptSecurityContext error, data 6fa, v1db1
>> even though the credentials used are correct and do work with the
>> "normal" DCs.
>> I have already added the corresponding user to the group "Allowed RODC
>> Password Replication Group", but that did not change anything...
>> Authentication through Kerberos seems to work, but is not an option
>> for the application, unfortunately.
>> Did I miss anything that prevents my scenario to work by design?
>> Thanks a lot for your help!
>> Best regards
>> Johannes
> I wouldn't do this, the DC (RODC or otherwise) would have to be a
> global catalogue. Try reading this:
> https://www.techrepublic.com/article/solutionbase-deploying-domain-controllers-in-a-dmz/
> In short, you need to setup a domain in the DMZ and then setup a trust
> between this domain and your other domain.
> Rowland

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 512 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20180122/db3580b8/signature.sig>

More information about the samba mailing list