[Samba] RODC and LDAP via Simple Authentication fails

Gaetan SLONGO gslongo at it-optics.com
Thu Jan 25 09:40:53 UTC 2018

Hi Rowland, 

There is official documentation about creating multiple domains with trusts ? I can't find it 


----- Mail original -----

De: "Rowland Penny via samba" <samba at lists.samba.org> 
À: samba at lists.samba.org 
Cc: "Johannes Engel" <jcnengel+samba at gmail.com> 
Envoyé: Lundi 22 Janvier 2018 21:22:14 
Objet : Re: [Samba] RODC and LDAP via Simple Authentication fails 

On Mon, 22 Jan 2018 20:36:04 +0100 
Johannes Engel via samba <samba at lists.samba.org> wrote: 

> Dear all, 
> setting up a DMZ environment I was thinking to use an RODC there for 
> user authentication. One of the application in the DMZ needs to access 
> the directory via LDAP. 
> When I tried to connect to the RODC using LDAP with simple bind, I 
> always received the following error 
> ldap_bind: Invalid credentials (49) 
> additional info: 80090308: LdapErr: DSID-0C0903A9, comment: 
> AcceptSecurityContext error, data 6fa, v1db1 
> even though the credentials used are correct and do work with the 
> "normal" DCs. 
> I have already added the corresponding user to the group "Allowed RODC 
> Password Replication Group", but that did not change anything... 
> Authentication through Kerberos seems to work, but is not an option 
> for the application, unfortunately. 
> Did I miss anything that prevents my scenario to work by design? 
> Thanks a lot for your help! 
> Best regards 
> Johannes 

I wouldn't do this, the DC (RODC or otherwise) would have to be a 
global catalogue. Try reading this: 


In short, you need to setup a domain in the DMZ and then setup a trust 
between this domain and your other domain. 


To unsubscribe from this list go to the following URL and read the 
instructions: https://lists.samba.org/mailman/options/samba 


Gaëtan SLONGO | Head of Infrastructure Department 
Boulevard Initialis, 28 - 7000 Mons, BELGIUM 
Company : 	+32 (0)65 84 23 85 
Direct : 	+32 (0)65 32 85 88 
Fax : 	+32 (0)65 84 66 76 
Skype ID : 	gslongo.pro 
GPG Key : 	gslongo-gpg_key.asc 

- Please consider your environmental responsibility before printing this e-mail - 

More information about the samba mailing list