[Samba] machine account on RODC

Stefan Kania stefan at kania-online.de
Thu Nov 22 21:14:46 UTC 2018



Am 22.11.18 um 17:51 schrieb Rowland Penny via samba:
> On Thu, 22 Nov 2018 17:29:16 +0100
> Stefan Kania via samba <samba at lists.samba.org> wrote:
> 
>> Hello everybody,
>>
>> if I set up a RODC in a different site with an own subnet do I have to
>> replicate the machine-passwords with "samba-tool rodc reload host\$
>> --server=addc"? Or can a machine always authenticate against a RODC?
>>
> 
> It is my understanding that an RODC never really does authentication
> like a normal RWDC. When authentication is asked for, the RODC first
> checks its cache and if the required data is cached, authentication is
> granted. If it isn't cached, an RWDC is queried which authenticates
> the request, if appropriate, and the RODC then, if configured to do
> so, asks for the password to be replicated to the RODC.
> 
> Pre-loading passwords just speeds things up initially, but you will
> have to consider whether you really need the passwords on an RODC,
> this sort of defeats the point of an RODC.
> 
> Rowland
>    
> 

That is what I thought too, BUT:
We installed a RODC in a differen subnet created a site and moved the
RODC into the subnet. The two RW-DCs are in a physically different
subnet. If we log in with a user and start "cmd" and use "echo
%logonserver%" we see any of the RW-DCs in the main side. Then we
disabled the service "systemctl stop sernet-samba-ad" on both RW-DCs and
try to login in with a user who already has logged in to the win-client.
Then we got the message "the trust with the domaincontroller can't be
established" . That's why I thought maybe we have to replicate the
pssword for the machine.
Can it be, that it's because of the replication between the sites, it
will only be done every 180 Minutes? That's the default setting. We
tested the login right after we had joined the new RODC. I have read the
thread about the missing DNS-Entries for the SRV-record. I checked it,
we have the SRV records for kerberos und ldap.
For today it's FEIERABEND  maybe it will work tomorrow after all the
replication stuff has been done.
If you or someone else has another idea, I take any advise I can get.

Stefan
-- 
Stefan Kania
Landweg 13
25693 St. Michaelisdonn


Signieren jeder E-Mail hilft Spam zu reduzieren. Signieren Sie ihre
E-Mail. Weiter Informationen unter http://www.gnupg.org

Mein Schlüssel liegt auf

hkp://subkeys.pgp.net


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20181122/3cd1003c/signature.sig>


More information about the samba mailing list