[Samba] Samba 4.8 RODC not working

Gaetan SLONGO gslongo at it-optics.com
Wed Jun 13 10:28:23 UTC 2018 

Hi Rowland, 


I have no homes share. As far as I know I should not have that share on a DC ..? 


Regarding the security consideration for a DMZ zone, what do you suggest instead of putting a RODC in it ? 


Note : Yes I can ping DC, there is no routing / firewalling issue (validated). 


Thanks 

----- Mail original -----

De: "Rowland Penny via samba" <samba at lists.samba.org> 
À: samba at lists.samba.org 
Envoyé: Mercredi 13 Juin 2018 12:17:49 
Objet : Re: [Samba] Samba 4.8 RODC not working 

On Wed, 13 Jun 2018 11:33:48 +0200 (CEST) 
Gaetan SLONGO <gslongo at it-optics.com> wrote: 

> 
> 
> 
> 
> Here it is. It talks about homes share but I think we don't care ? 
> Final error is not explicit to me.. Maybe you? 
> 
> 
> 
> INFO: Current debug levels: 
> all: 10 
> tdb: 10 
> printdrivers: 10 
> lanman: 10 
> smb: 10 
> rpc_parse: 10 
> rpc_srv: 10 
> rpc_cli: 10 
> passdb: 10 
> sam: 10 
> auth: 10 
> winbind: 10 
> vfs: 10 
> idmap: 10 
> quota: 10 
> acls: 10 
> locking: 10 
> msdfs: 10 
> dmapi: 10 
> registry: 10 
> scavenger: 10 
> dns: 10 
> ldb: 10 
> tevent: 10 
> auth_audit: 10 
> auth_json_audit: 10 
> kerberos: 10 
> drs_repl: 10 
> smb2: 10 
> smb2_credits: 10 
> winbindd version 4.8.2-SerNet-RedHat-10.el7 started. 
> Copyright Andrew Tridgell and the Samba Team 1992-2018 
> lp_load_ex: refreshing parameters 
> Initialising global parameters 
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit 
> (16384) INFO: Current debug levels: 
> all: 10 
> tdb: 10 
> printdrivers: 10 
> lanman: 10 
> smb: 10 
> rpc_parse: 10 
> rpc_srv: 10 
> rpc_cli: 10 
> passdb: 10 
> sam: 10 
> auth: 10 
> winbind: 10 
> vfs: 10 
> idmap: 10 
> quota: 10 
> acls: 10 
> locking: 10 
> msdfs: 10 
> dmapi: 10 
> registry: 10 
> scavenger: 10 
> dns: 10 
> ldb: 10 
> tevent: 10 
> auth_audit: 10 
> auth_json_audit: 10 
> kerberos: 10 
> drs_repl: 10 
> smb2: 10 
> smb2_credits: 10 
> Processing section "[global]" 
> doing parameter netbios name = DMZRODC 
> doing parameter realm = ADS.MYDOMAIN.BE 
> doing parameter server role = active directory domain controller 
> doing parameter workgroup = MYDOMAIN 
> doing parameter log level = 10 
> pm_process() returned Yes 
> lp_servicenumber: couldn't find homes 
> messaging_dgm_ref: messaging_dgm_init returned Succès 
> messaging_dgm_ref: unique = 11509548009454711159 
> Registering messaging pointer for type 2 - private_data=(nil) 
> Registering messaging pointer for type 9 - private_data=(nil) 
> Registered MSG_REQ_POOL_USAGE 
> Registering messaging pointer for type 11 - private_data=(nil) 
> Registering messaging pointer for type 12 - private_data=(nil) 
> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED 
> Registering messaging pointer for type 1 - private_data=(nil) 
> Registering messaging pointer for type 5 - private_data=(nil) 
> Registering messaging pointer for type 51 - private_data=(nil) 
> messaging_init_internal: my id: 13124 
> lp_load_ex: refreshing parameters 
> Freeing parametrics: 
> Initialising global parameters 
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit 
> (16384) INFO: Current debug levels: 
> all: 10 
> tdb: 10 
> printdrivers: 10 
> lanman: 10 
> smb: 10 
> rpc_parse: 10 
> rpc_srv: 10 
> rpc_cli: 10 
> passdb: 10 
> sam: 10 
> auth: 10 
> winbind: 10 
> vfs: 10 
> idmap: 10 
> quota: 10 
> acls: 10 
> locking: 10 
> msdfs: 10 
> dmapi: 10 
> registry: 10 
> scavenger: 10 
> dns: 10 
> ldb: 10 
> tevent: 10 
> auth_audit: 10 
> auth_json_audit: 10 
> kerberos: 10 
> drs_repl: 10 
> smb2: 10 
> smb2_credits: 10 
> Processing section "[global]" 
> doing parameter netbios name = DMZRODC 
> doing parameter realm = ADS.MYDOMAIN.BE 
> doing parameter server role = active directory domain controller 
> doing parameter workgroup = MYDOMAIN 
> doing parameter log level = 10 
> pm_process() returned Yes 
> lp_servicenumber: couldn't find homes 
> added interface eth0 ip=192.168.19.5 bcast=192.168.19.255 
> netmask=255.255.255.0 Netbios name list:- 
> my_netbios_names[0]="DMZRODC" 
> added interface eth0 ip=192.168.19.5 bcast=192.168.19.255 
> netmask=255.255.255.0 exit_daemon: STATUS=daemon failed to start: 
> Failed to create session, error code 1 
> 
> 

Not that it helps, but I have now notice why you want the RODC, you 
want to do something stupid like putting it into a DMZ zone. 
This is not recommended, it is a security risk. 

If you must do this, then do you have a share in smb.conf called 
'[homes]', if so, remove the trailing 's' i.e. make it '[home]' and 
read the wiki. 

Running out of ideas now, except, can you ping a DC from the RODC ? 

Rowland 

-- 
To unsubscribe from this list go to the following URL and read the 
instructions: https://lists.samba.org/mailman/options/samba 



-- 




www.it-optics.com 
	
Gaëtan SLONGO | Head of Infrastructure Department 
Boulevard Initialis, 28 - 7000 Mons, BELGIUM 
Company : 	+32 (0)65 84 23 85 
Direct : 	+32 (0)65 32 85 88 
Fax : 	+32 (0)65 84 66 76 
Skype ID : 	gslongo.pro 
GPG Key : 	gslongo-gpg_key.asc 
	

- Please consider your environmental responsibility before printing this e-mail -

More information about the samba mailing list