[Samba] Issues with RODC

Rowland Penny rpenny at samba.org
Sun May 5 12:52:12 UTC 2019

On Sun, 5 May 2019 09:20:37 -0300
Emerson Kfuri via samba <samba at lists.samba.org> wrote:

> Hello,
> Recently I started using RODC servers on my environment and noticed a
> few issues with it:
> - lack of LDAP SPNs
> - "samba_dnsupdate" not working with "insufficient access rights" (it
> works from RWDCs)

Probably because you cannot write to an RODC

> - "samba-tool dbcheck" changes instancetype of basically all objects
> from 4 to 0.

'4' means 'The object is writeable on this directory.', well it isn't on
an RODC, so '0' is probably correct.

> New replicated objects continues being created with instancetype 4
> and dbcheck continues to change them

See above.

> - "samba-tool drs showrepl" exiting with WERR_DS_DRA_ACCESS_DENIED

Replication is one way into the RODC

> - "samba-tool domain tombstones expunge" is unable to expunge expired
> deleted objects

This may be a problem, but then again it might not be, to 'delete' you
have to have 'write', but you cannot write to an RODC.

Are you using the RODC's in the same site as your RWDC's ?
If so, why ?
RODC's are meant to be used where there are security and/or other
concerns, so if you have RWDC's at the same place, why use RODC's ?


More information about the samba mailing list