[Samba] Issues with RODC

Emerson Kfuri emersonkfuri at gmail.com
Sun May 5 13:13:07 UTC 2019 

On Sun, May 5, 2019 at 9:52 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Sun, 5 May 2019 09:20:37 -0300
> Emerson Kfuri via samba <samba at lists.samba.org> wrote:
>
> > Hello,
> >
> > Recently I started using RODC servers on my environment and noticed a
> > few issues with it:
> > - lack of LDAP SPNs
> > - "samba_dnsupdate" not working with "insufficient access rights" (it
> > works from RWDCs)
>
> Probably because you cannot write to an RODC
>

Yes! That's the idea! But if these records are not automatically
registered, means admin always have to add them manually. This should be
documented so...

>
> > - "samba-tool dbcheck" changes instancetype of basically all objects
> > from 4 to 0.
>
> '4' means 'The object is writeable on this directory.', well it isn't on
> an RODC, so '0' is probably correct.
>
> > New replicated objects continues being created with instancetype 4
> > and dbcheck continues to change them
>
> See above.
>

So why not create these objects already with instancetype 0?

>
> > - "samba-tool drs showrepl" exiting with WERR_DS_DRA_ACCESS_DENIED
>
> Replication is one way into the RODC
>
> > - "samba-tool domain tombstones expunge" is unable to expunge expired
> > deleted objects
>
> This may be a problem, but then again it might not be, to 'delete' you
> have to have 'write', but you cannot write to an RODC.
>

And how to prevent the database from accumulating garbage?

>
> Are you using the RODC's in the same site as your RWDC's ?
> If so, why ?
> RODC's are meant to be used where there are security and/or other
> concerns, so if you have RWDC's at the same place, why use RODC's ?
>
>
I have 3 sites and all of them has an RWDC and at least one RODC. I use
multiple RWDCs to balance write load and multiples RODCs to reduce
replication flow. Because of my database size and number of simultaneous
clients, I needed to grow the number of controllers to balance LDAP queries
since servers became unresponsive due to LDAP memory leaks.

> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list