[Samba] RODC in remote Site

cn at brain-biotech.de cn at brain-biotech.de
Mon Feb 15 14:48:40 UTC 2021 

Hello All,
sorry for the long post...
I have deployed a RODC in a remote site. The Site and the subnet were 
already created but had no DC. I have set up the RODC as I would a 
normal DC. This is on Contos 8 with Sernet packages. And did a join like 
this:

samba-tool domain join HQ.DOMAIN.DE RODC --site=DMZ 
--dns-backend=BIND9_DLZ -U"DOMAIN-02\Administrator"

This completed successfully. The RODC was created in the Sites and 
Services app. The replication with one DC is also listed there.



This is the smb.conf

-------------------------------------------------------------------
[global]
           netbios name = RODC
           realm = HQ.DOMAIN.DE
           server role = active directory domain controller
           server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
drepl, winbindd, ntp_signd, kcc, dnsupdate
           workgroup = DOMAIN-02
           prefork children = 8
           idmap_ldb:use rfc2307 = yes
           template shell = /bin/bash
           template homedir = /home/%U
           restrict anonymous = 2
           disable netbios = yes
           smb ports = 445
           server min protocol = SMB2
           client min protocol = SMB2
           tls enabled  = yes
           tls keyfile  = tls/server_de.key
           tls certfile = tls/server.pem
           tls cafile   = tls/ca.pem
           kerberos method = secrets and keytab
           dedicated keytab file = /etc/krb5.keytab
           printcap name = /dev/null
           load printers = no
           disable spoolss = yes
           printing = bsd

[sysvol]
           path = /var/lib/samba/sysvol
           read only = No

[netlogon]
           path = /var/lib/samba/sysvol/hq.DOMAIN.DE/scripts
           read only = No



This the krb.conf. kinit Administrator works and gets a ticket.

-------------------------------------------------------------------
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = HQ.DOMAIN.DE
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_ccache_name = KEYRING:persistent:%{uid}
-------------------------------------------------------------------

I can preload users:

[root at rodc ~]# samba-tool rodc preload cn --server=dc2
Replicating DN CN=cn,CN=Users,DC=hq,DC=domain,DC=de
Exop on[CN=cn,CN=Users,DC=hq,DC=domain,DC=de] objects[1] linked_values[1]


The DNS A entry and the CNAME for GUID were created during the Join. THe 
other entries did not get created. So I run samba_dnsupdate:
I tried this with Bind and the internal DNS. This is the output from the 
internal DNS.

[root at rodc ~]# samba_dnsupdate --verbose  --all-names
IPs: ['10.1.0.77']
force update: A rodc.hq.DOMAIN.DE 10.1.0.77
force update: CNAME 
50e4a341-c677-4562-a055-cefd7686ce68._msdcs.hq.DOMAIN.DE rodc.hq.DOMAIN.DE
force update: SRV _ldap._tcp.DMZ._sites.hq.DOMAIN.DE rodc.hq.DOMAIN.DE 389
force update: SRV _ldap._tcp.DMZ._sites.dc._msdcs.hq.DOMAIN.DE 
rodc.hq.DOMAIN.DE 389
force update: SRV _kerberos._tcp.DMZ._sites.hq.DOMAIN.DE 
rodc.hq.DOMAIN.DE 88
force update: SRV _kerberos._tcp.DMZ._sites.dc._msdcs.hq.DOMAIN.DE 
rodc.hq.DOMAIN.DE 88
force update: SRV _gc._tcp.DMZ._sites.hq.DOMAIN.DE rodc.hq.DOMAIN.DE 3268
force update: SRV _ldap._tcp.DMZ._sites.gc._msdcs.hq.DOMAIN.DE 
rodc.hq.DOMAIN.DE 3268
8 DNS updates and 0 DNS deletes needed
Successfully obtained Kerberos ticket to DNS/dc2.hq.DOMAIN.DE as RODC$
update (nsupdate): A rodc.hq.DOMAIN.DE 10.1.0.77
Calling nsupdate for A rodc.hq.DOMAIN.DE 10.1.0.77 (add)
Successfully obtained Kerberos ticket to DNS/dc2.hq.DOMAIN.DE as RODC$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
rodc.hq.DOMAIN.DE. 900	IN	A	10.1.0.77

update failed: REFUSED
Failed nsupdate: 2
update (rodc): CNAME 
50e4a341-c677-4562-a055-cefd7686ce68._msdcs.hq.DOMAIN.DE rodc.hq.DOMAIN.DE
Calling netlogon RODC update for CNAME 
50e4a341-c677-4562-a055-cefd7686ce68._msdcs.hq.DOMAIN.DE rodc.hq.DOMAIN.DE
Error setting DNS entry of type 28: CNAME 50e4a341-c677net ads keytab 
create -k yes-4562-a055-cefd7686ce68._msdcs.hq.DOMAIN.DE 
rodc.hq.DOMAIN.DE: (3221225506, '{Access Denied} A process has requested 
access to an object but has not been granted those access rights.')
Called netlogon RODC update for CNAME 
50e4a341-c677-4562-a055-cefd7686ce68._msdcs.hq.DOMAIN.DE rodc.hq.DOMAIN.DE
update (rodc): SRV _ldap._tcp.DMZ._sites.hq.DOMAIN.DE rodc.hq.DOMAIN.DE 389
Calling netlogon RODC update for SRV _ldap._tcp.DMZ._sites.hq.DOMAIN.DE 
rodc.hq.DOMAIN.DE 389
Error setting DNS entry of type 22: SRV 
_ldap._tcp.DMZ._sites.hq.DOMAIN.DE rodc.hq.DOMAIN.DE 389: (3221225506, 
'{Access Denied} A process has requested access to an object but has not 
been granted those access rights.')
Called netlogon RODC update for SRV _ldap._tcp.DMZ._sites.hq.DOMAIN.DE 
rodc.hq.DOMAIN.DE 389
update (rodc): SRV _ldap._tcp.DMZ._sites.dc._msdcs.hq.DOMAIN.DE 
rodc.hq.DOMAIN.DE 389
Calling netlogon RODC update for SRV 
_ldap._tcp.DMZ._sites.dc._msdcs.hq.DOMAIN.DE rodc.hq.DOMAIN.DE 389
Error setting DNS entry of type 32: SRV 
_ldap._tcp.DMZ._sites.dc._msdcs.hq.DOMAIN.DE rodc.hq.DOMAIN.DE 389: 
(3221225506, '{Access Denied} A process has requested access to an 
object but has not been granted those access rights.')
Called netlogon RODC update for SRV 
_ldap._tcp.DMZ._sites.dc._msdcs.hq.DOMAIN.DE rodc.hq.DOMAIN.DE 389
update (rodc): SRV _kerberos._tcp.DMZ._sites.hq.DOMAIN.DE 
rodc.hq.DOMAIN.DE 88
Calling netlogon RODC update for SRV 
_kerberos._tcp.DMZ._sites.hq.DOMAIN.DE rodc.hq.DOMAIN.DE 88
Error setting DNS entry of type 34: SRV 
_kerberos._tcp.DMZ._sites.hq.DOMAIN.DE rodc.hq.DOMAIN.DE 88: 
(3221225506, '{Access Denied} A process has requested access to an 
object but has not been granted those access rights.')
Called netlogon RODC update for SRV 
_kerberos._tcp.DMZ._sites.hq.DOMAIN.DE rodc.hq.DOMAIN.DE 88
update (rodc): SRV _kerberos._tcp.DMZ._sites.dc._msdcs.hq.DOMAIN.DE 
rodc.hq.DOMAIN.DE 88
Calling netlogon RODC update for SRV 
_kerberos._tcp.DMZ._sites.dc._msdcs.hq.DOMAIN.DE rodc.hq.DOMAIN.DE 88
Error setting DNS entry of type 30: SRV 
_kerberos._tcp.DMZ._sites.dc._msdcs.hq.DOMAIN.DE rodc.hq.DOMAIN.DE 88: 
(3221225506, '{Access Denied} A process has requested access to an 
object but has not been granted those access rights.')
Called netlogon RODC update for SRV 
_kerberos._tcp.DMZ._sites.dc._msdcs.hq.DOMAIN.DE rodc.hq.DOMAIN.DE 88
update (rodc): SRV _gc._tcp.DMZ._sites.hq.DOMAIN.DE rodc.hq.DOMAIN.DE 3268
update (rodc): SRV _ldap._tcp.DMZ._sites.gc._msdcs.hq.DOMAIN.DE 
rodc.hq.DOMAIN.DE 3268
Failed update of 6 entries


During the run of samba_dnsupdate I see several of these in the logs:


Feb 13 10:56:59 rodc.hq.DOMAIN.DE winbindd[1794]: [2021/02/13 
10:56:59.766999,  1] 
../../source3/winbindd/winbindd_cm.c:1281(cm_prepare_connection)
Feb 13 10:56:59 rodc.hq.DOMAIN.DE winbindd[1794]:   failed tcon_X with 
NT_STATUS_ACCESS_DENIED
Feb 13 10:56:59 rodc.hq.DOMAIN.DE winbindd[1794]: [2021/02/13 
10:56:59.767285,  1] 
../../source3/winbindd/winbindd_cm.c:1310(cm_prepare_connection)
Feb 13 10:56:59 rodc.hq.DOMAIN.DE winbindd[1794]:   Failed to prepare 
SMB connection to dc1.hq.DOMAIN.DE: NT_STATUS_ACCESS_DENIED


And on the DC where it is trying to update I see this:


Feb 13 10:56:59 dc2.hq.DOMAIN.DE named[944332]: samba_dlz: starting 
transaction on zone hq.DOMAIN.DE
Feb 13 10:56:59 dc2.hq.DOMAIN.DE named[944332]: samba_dlz: disallowing 
update of signer=RODC\$\@HQ.DOMAIN.DE name=rodc.hq.DOMAIN.DE type=A 
error=insufficient access rights
Feb 13 10:56:59 dc2.hq.DOMAIN.DE named[944332]: client @0x7f39e4dccc30 
10.1.0.77#42255/key RODC\$\@HQ.DOMAIN.DE: updating zone 
'hq.DOMAIN.DE/NONE': update failed: rejected by secure update (REFUSED)
Feb 13 10:56:59 dc2.hq.DOMAIN.DE named[944332]: samba_dlz: cancelling 
transaction on zone hq.DOMAIN.DE



So I created the missing DNS entries (except for the global catalog ones):

samba-tool dns add DC1 _msdcs.hq.DOMAIN.DE 
_ldap._tcp.DMZ._sites.dc._msdcs.hq.DOMAIN.DE SRV 'RODC.hq.DOMAIN.DE 389 
0 100'
samba-tool dns add DC1 _msdcs.hq.DOMAIN.DE 
_kerberos._tcp.DMZ._sites.dc._msdcs.hq.DOMAIN.DE SRV 'RODC.hq.DOMAIN.DE 
88 0 100'

samba-tool dns add DC1 hq.DOMAIN.DE _ldap._tcp.DMZ._sites.hq.DOMAIN.DE 
SRV 'RODC.hq.DOMAIN.DE 389 0 100'
samba-tool dns add DC1 hq.DOMAIN.DE 
_kerberos._tcp.DMZ._sites.hq.DOMAIN.DE SRV 'RODC.hq.DOMAIN.DE 88 0 100'


Replication seems to work (no error on the DC that does this). And I get 
this on the RODC:

[root at rodc ~]# samba-tool drs showrepl -U Administrator
Password for [DOMAIN-02\Administrator]:
DMZ\RODC
DSA Options: 0x00000025
DSA object GUID: 50e4a341-c677-4562-a055-cefd7686ce68
DSA invocationId: 3e623f57-345a-4af1-9998-ccc5cf21f387

==== INBOUND NEIGHBORS ====

==== OUTBOUND NEIGHBORS ====

==== KCC CONNECTION OBJECTS ====

Connection --
	Connection name: RODC Connection (FRS)
	Enabled        : TRUE
	Server DNS name : dc2.hq.domain.de
	Server DN name  : CN=NTDS 
Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hq,DC=domain,DC=de
		TransportType: RPC
		options: 0x00000041
Warning: No NC replicated for Connection!


I can wbinfo -u/-g and get all infos. I can auth with wbinfo -a all 
users that are preloaded and are in "Allowed RODC Password Replication 
Group". However, if a user is not preloaded auth fails.


[root at rodc ~]# wbinfo -a bir
Enter bir's password:
plaintext password authentication failed
Could not authenticate user bir with plaintext password
Enter bir's password:
challenge/response password authentication failed
wbcAuthenticateUserEx(DOMAIN-02\bir): error code was 
NT_STATUS_ACCESS_DENIED (0xc0000022, authoritative=0)
error message was: {Access Denied} A process has requested access to an 
object but has not been granted those access rights.
Could not authenticate user bir with challenge/response

While in the logs I see many of this:

Feb 15 15:43:30 rodc.hq.domain.de winbindd[34442]: [2021/02/15 
15:43:30.146704,  1] 
../../source3/winbindd/winbindd_cm.c:1310(cm_prepare_connection)
Feb 15 15:43:30 rodc.hq.domain.de winbindd[34442]:   Failed to prepare 
SMB connection to dc2.hq.domain.de: NT_STATUS_ACCESS_DENIED

And finally this:

Feb 15 15:43:30 rodc.hq.domain.de winbindd[34442]: [2021/02/15 
15:43:30.147548,  2] 
../../auth/auth_log.c:653(log_authentication_event_human_readable)
Feb 15 15:43:30 rodc.hq.domain.de winbindd[34442]:   Auth: 
[winbind,NTLM_AUTH, wbinfo, 34390] user [DOMAIN-02]\[bir] at [Mon, 15 
Feb 2021 15:43:30.147532 CET] with [NTLMv2] status 
[NT_STATUS_ACCESS_DENIED] workstation [RODC] remote host [unix:] mapped 
to [(null)]\[(null)]. local host [unix:]


This works if the user is preladed.

Is I run this:

net ads keytab create -k yes

nothing happens. No Error and no keytab is created.


Anyone have an Idea what to try? Or should I leave and join again?

Regards


Chrsitian

-- 
Dr. Christian Naumer
Vice President
Unit Head Bioprocess Development

B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
phone +49-6251-9331-30 / fax +49-6251-9331-11

Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Adriaan Moelker (Vorstandsvorsitzender), 
Lukas Linnig
Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen

More information about the samba mailing list