[Samba] RODC and LDAP via Simple Authentication fails

Gaetan SLONGO gslongo at it-optics.com
Thu Jan 25 09:40:53 UTC 2018


Hi Rowland, 


There is official documentation about creating multiple domains with trusts ? I can't find it 


Thanks 

----- Mail original -----

De: "Rowland Penny via samba" <samba at lists.samba.org> 
À: samba at lists.samba.org 
Cc: "Johannes Engel" <jcnengel+samba at gmail.com> 
Envoyé: Lundi 22 Janvier 2018 21:22:14 
Objet : Re: [Samba] RODC and LDAP via Simple Authentication fails 

On Mon, 22 Jan 2018 20:36:04 +0100 
Johannes Engel via samba <samba at lists.samba.org> wrote: 

> Dear all, 
> 
> setting up a DMZ environment I was thinking to use an RODC there for 
> user authentication. One of the application in the DMZ needs to access 
> the directory via LDAP. 
> 
> When I tried to connect to the RODC using LDAP with simple bind, I 
> always received the following error 
> 
> ldap_bind: Invalid credentials (49) 
> additional info: 80090308: LdapErr: DSID-0C0903A9, comment: 
> AcceptSecurityContext error, data 6fa, v1db1 
> 
> even though the credentials used are correct and do work with the 
> "normal" DCs. 
> 
> I have already added the corresponding user to the group "Allowed RODC 
> Password Replication Group", but that did not change anything... 
> 
> Authentication through Kerberos seems to work, but is not an option 
> for the application, unfortunately. 
> 
> Did I miss anything that prevents my scenario to work by design? 
> Thanks a lot for your help! 
> 
> Best regards 
> Johannes 
> 
> 

I wouldn't do this, the DC (RODC or otherwise) would have to be a 
global catalogue. Try reading this: 

https://www.techrepublic.com/article/solutionbase-deploying-domain-controllers-in-a-dmz/ 

In short, you need to setup a domain in the DMZ and then setup a trust 
between this domain and your other domain. 

Rowland 


-- 
To unsubscribe from this list go to the following URL and read the 
instructions: https://lists.samba.org/mailman/options/samba 



-- 




www.it-optics.com 
	
Gaëtan SLONGO | Head of Infrastructure Department 
Boulevard Initialis, 28 - 7000 Mons, BELGIUM 
Company : 	+32 (0)65 84 23 85 
Direct : 	+32 (0)65 32 85 88 
Fax : 	+32 (0)65 84 66 76 
Skype ID : 	gslongo.pro 
GPG Key : 	gslongo-gpg_key.asc 
	

- Please consider your environmental responsibility before printing this e-mail - 










More information about the samba mailing list