[Samba] Issues with RODC

[Rowland Penny]

On Sun, 5 May 2019 10:13:07 -0300
Emerson Kfuri <emersonkfuri at gmail.com> wrote:

> On Sun, May 5, 2019 at 9:52 AM Rowland Penny via samba <
> samba at lists.samba.org> wrote:  
> 
> > On Sun, 5 May 2019 09:20:37 -0300
> > Emerson Kfuri via samba <samba at lists.samba.org> wrote:
> >  
> > > Hello,
> > >
> > > Recently I started using RODC servers on my environment and
> > > noticed a few issues with it:
> > > - lack of LDAP SPNs
> > > - "samba_dnsupdate" not working with "insufficient access
> > > rights" (it works from RWDCs)  
> >
> > Probably because you cannot write to an RODC
> >  
> 
> Yes! That's the idea! But if these records are not automatically
> registered, means admin always have to add them manually. This should
> be documented so...

In the Samba world, working RODC's are relatively new, so things like
this are still being found.
  
> 
> >  
> > > - "samba-tool dbcheck" changes instancetype of basically all
> > > objects from 4 to 0.  
> >
> > '4' means 'The object is writeable on this directory.', well it
> > isn't on an RODC, so '0' is probably correct.
> >  
> > > New replicated objects continues being created with instancetype 4
> > > and dbcheck continues to change them  
> >
> > See above.
> >  
> 
> So why not create these objects already with instancetype 0?

Because they are being replicated in from an RWDC where '4' is correct,
I would think that that Windows RODC will probably have code to do this
during replication and, obviously, Samba hasn't yet.

> 
> >  
> > > - "samba-tool drs showrepl" exiting with
> > > WERR_DS_DRA_ACCESS_DENIED  
> >
> > Replication is one way into the RODC
> >  
> > > - "samba-tool domain tombstones expunge" is unable to expunge
> > > expired deleted objects  
> >
> > This may be a problem, but then again it might not be, to 'delete'
> > you have to have 'write', but you cannot write to an RODC.
> >  
> 
> And how to prevent the database from accumulating garbage?

Again, this is probably something that will get fixed down the line,
but it seems this isn't just a Samba problem, a quick internet search
turned up the Windows fix for this, demote and rejoin the RODC ;-)
 
> >
> > Are you using the RODC's in the same site as your RWDC's ?
> > If so, why ?
> > RODC's are meant to be used where there are security and/or other
> > concerns, so if you have RWDC's at the same place, why use RODC's ?
> >
> >  
> I have 3 sites and all of them has an RWDC and at least one RODC. I
> use multiple RWDCs to balance write load and multiples RODCs to reduce
> replication flow. Because of my database size and number of
> simultaneous clients, I needed to grow the number of controllers to
> balance LDAP queries since servers became unresponsive due to LDAP
> memory leaks.

That isn't really how RODC's are meant to be used.

If you have LDAP memory leaks, then you should create a bug report
or, if there is one, add to an existing bug report, things like this
will not get fixed unless Samba is told about it.

Rowland