[Samba] Issues with RODC
rpenny at samba.org
Sun May 5 14:29:47 UTC 2019
On Sun, 5 May 2019 10:13:07 -0300
Emerson Kfuri <emersonkfuri at gmail.com> wrote:
> On Sun, May 5, 2019 at 9:52 AM Rowland Penny via samba <
> samba at lists.samba.org> wrote:
> > On Sun, 5 May 2019 09:20:37 -0300
> > Emerson Kfuri via samba <samba at lists.samba.org> wrote:
> > > Hello,
> > >
> > > Recently I started using RODC servers on my environment and
> > > noticed a few issues with it:
> > > - lack of LDAP SPNs
> > > - "samba_dnsupdate" not working with "insufficient access
> > > rights" (it works from RWDCs)
> > Probably because you cannot write to an RODC
> Yes! That's the idea! But if these records are not automatically
> registered, means admin always have to add them manually. This should
> be documented so...
In the Samba world, working RODC's are relatively new, so things like
this are still being found.
> > > - "samba-tool dbcheck" changes instancetype of basically all
> > > objects from 4 to 0.
> > '4' means 'The object is writeable on this directory.', well it
> > isn't on an RODC, so '0' is probably correct.
> > > New replicated objects continues being created with instancetype 4
> > > and dbcheck continues to change them
> > See above.
> So why not create these objects already with instancetype 0?
Because they are being replicated in from an RWDC where '4' is correct,
I would think that that Windows RODC will probably have code to do this
during replication and, obviously, Samba hasn't yet.
> > > - "samba-tool drs showrepl" exiting with
> > > WERR_DS_DRA_ACCESS_DENIED
> > Replication is one way into the RODC
> > > - "samba-tool domain tombstones expunge" is unable to expunge
> > > expired deleted objects
> > This may be a problem, but then again it might not be, to 'delete'
> > you have to have 'write', but you cannot write to an RODC.
> And how to prevent the database from accumulating garbage?
Again, this is probably something that will get fixed down the line,
but it seems this isn't just a Samba problem, a quick internet search
turned up the Windows fix for this, demote and rejoin the RODC ;-)
> > Are you using the RODC's in the same site as your RWDC's ?
> > If so, why ?
> > RODC's are meant to be used where there are security and/or other
> > concerns, so if you have RWDC's at the same place, why use RODC's ?
> I have 3 sites and all of them has an RWDC and at least one RODC. I
> use multiple RWDCs to balance write load and multiples RODCs to reduce
> replication flow. Because of my database size and number of
> simultaneous clients, I needed to grow the number of controllers to
> balance LDAP queries since servers became unresponsive due to LDAP
> memory leaks.
That isn't really how RODC's are meant to be used.
If you have LDAP memory leaks, then you should create a bug report
or, if there is one, add to an existing bug report, things like this
will not get fixed unless Samba is told about it.
More information about the samba