[Samba] machine account on RODC

Stefan Kania stefan at kania-online.de
Fri Nov 23 07:32:14 UTC 2018

Hi Rowland,

we got the solution for not finding the RODC. We did a classicupgrade
from a samba3 NT-Domain and if you do the upgrade the functionlevel is
2003. The RODC is only supported from 2008 so we rais the functionlevel
to 2008_R2 and it worked.


Am 22.11.18 um 22:14 schrieb Stefan Kania via samba:
> Am 22.11.18 um 17:51 schrieb Rowland Penny via samba:
>> On Thu, 22 Nov 2018 17:29:16 +0100
>> Stefan Kania via samba <samba at lists.samba.org> wrote:
>>> Hello everybody,
>>> if I set up a RODC in a different site with an own subnet do I have to
>>> replicate the machine-passwords with "samba-tool rodc reload host\$
>>> --server=addc"? Or can a machine always authenticate against a RODC?
>> It is my understanding that an RODC never really does authentication
>> like a normal RWDC. When authentication is asked for, the RODC first
>> checks its cache and if the required data is cached, authentication is
>> granted. If it isn't cached, an RWDC is queried which authenticates
>> the request, if appropriate, and the RODC then, if configured to do
>> so, asks for the password to be replicated to the RODC.
>> Pre-loading passwords just speeds things up initially, but you will
>> have to consider whether you really need the passwords on an RODC,
>> this sort of defeats the point of an RODC.
>> Rowland
> That is what I thought too, BUT:
> We installed a RODC in a differen subnet created a site and moved the
> RODC into the subnet. The two RW-DCs are in a physically different
> subnet. If we log in with a user and start "cmd" and use "echo
> %logonserver%" we see any of the RW-DCs in the main side. Then we
> disabled the service "systemctl stop sernet-samba-ad" on both RW-DCs and
> try to login in with a user who already has logged in to the win-client.
> Then we got the message "the trust with the domaincontroller can't be
> established" . That's why I thought maybe we have to replicate the
> pssword for the machine.
> Can it be, that it's because of the replication between the sites, it
> will only be done every 180 Minutes? That's the default setting. We
> tested the login right after we had joined the new RODC. I have read the
> thread about the missing DNS-Entries for the SRV-record. I checked it,
> we have the SRV records for kerberos und ldap.
> For today it's FEIERABEND  maybe it will work tomorrow after all the
> replication stuff has been done.
> If you or someone else has another idea, I take any advise I can get.
> Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20181123/3275597d/signature.sig>

More information about the samba mailing list