[Samba] RODC and LDAP via Simple Authentication fails
Gaetan SLONGO
gslongo at it-optics.com
Thu Jan 25 09:40:53 UTC 2018
Hi Rowland,
There is official documentation about creating multiple domains with trusts ? I can't find it
Thanks
----- Mail original -----
De: "Rowland Penny via samba" <samba at lists.samba.org>
À: samba at lists.samba.org
Cc: "Johannes Engel" <jcnengel+samba at gmail.com>
Envoyé: Lundi 22 Janvier 2018 21:22:14
Objet : Re: [Samba] RODC and LDAP via Simple Authentication fails
On Mon, 22 Jan 2018 20:36:04 +0100
Johannes Engel via samba <samba at lists.samba.org> wrote:
> Dear all,
>
> setting up a DMZ environment I was thinking to use an RODC there for
> user authentication. One of the application in the DMZ needs to access
> the directory via LDAP.
>
> When I tried to connect to the RODC using LDAP with simple bind, I
> always received the following error
>
> ldap_bind: Invalid credentials (49)
> additional info: 80090308: LdapErr: DSID-0C0903A9, comment:
> AcceptSecurityContext error, data 6fa, v1db1
>
> even though the credentials used are correct and do work with the
> "normal" DCs.
>
> I have already added the corresponding user to the group "Allowed RODC
> Password Replication Group", but that did not change anything...
>
> Authentication through Kerberos seems to work, but is not an option
> for the application, unfortunately.
>
> Did I miss anything that prevents my scenario to work by design?
> Thanks a lot for your help!
>
> Best regards
> Johannes
>
>
I wouldn't do this, the DC (RODC or otherwise) would have to be a
global catalogue. Try reading this:
https://www.techrepublic.com/article/solutionbase-deploying-domain-controllers-in-a-dmz/
In short, you need to setup a domain in the DMZ and then setup a trust
between this domain and your other domain.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
www.it-optics.com
Gaëtan SLONGO | Head of Infrastructure Department
Boulevard Initialis, 28 - 7000 Mons, BELGIUM
Company : +32 (0)65 84 23 85
Direct : +32 (0)65 32 85 88
Fax : +32 (0)65 84 66 76
Skype ID : gslongo.pro
GPG Key : gslongo-gpg_key.asc
- Please consider your environmental responsibility before printing this e-mail -
More information about the samba
mailing list