[Samba] RODC in remote Site

Rowland penny rpenny at samba.org
Mon Feb 15 16:02:59 UTC 2021 

On 15/02/2021 15:20, cn--- via samba wrote:
> Am 15.02.21 um 16:06 schrieb Rowland penny via samba:
>> On 15/02/2021 14:48, cn--- via samba wrote:
>>> Hello All,
>>> sorry for the long post...
>>> I have deployed a RODC in a remote site. The Site and the subnet 
>>> were already created but had no DC. I have set up the RODC as I 
>>> would a normal DC. This is on Contos 8 with Sernet packages. And did 
>>> a join like this:
>>>
>>> samba-tool domain join HQ.DOMAIN.DE RODC --site=DMZ 
>>> --dns-backend=BIND9_DLZ -U"DOMAIN-02\Administrator"
>>>
>>> This completed successfully. The RODC was created in the Sites and 
>>> Services app. The replication with one DC is also listed there.
>>
>>
>> Do you have 'dns.keytab' in /var/lib/samba/bind-dns/ ?
>
> Yes I copied this before I first started samba-ad service just to make 
> sure.
>
>>
>> If you don't (I am willing to bet you don't), run 'samba_upgradedns' 
>> and downgrade to the internal dns server, then run it again, but add 
>> '--dns-backend=BIND9_DLZ'. This will upgrade you to the Bind9 dns 
>> server again, but this time with the 'dns.keytab' in the correct 
>> location.
>
> I ran this already but tried it again:
>
> [root at rodc ~]# samba_upgradedns --dns-backend=BIND9_DLZ
> Reading domain information
> DNS accounts already exist
> No zone file /var/lib/samba/bind-dns/dns/HQ.DOMAIN.DE.zone
> DNS records will be automatically created
> DNS partitions already exist
> DSDB Transaction [rollback] at [Mon, 15 Feb 2021 16:16:02.417149 CET] 
> duration [3056]
> Traceback (most recent call last):
>   File "/usr/sbin/samba_upgradedns", line 439, in <module>
>     ldbs.sam.modify(m)
> _ldb.LdbError: (1, 'Invalid LDB reply type 1')


An 'RODC' is called that for a reason, you cannot write to its database, 
perhaps the commands needs to be able to write to another DC ???

>
> But Bind starts and runs OK. Again trying to update DNS:
>
>
> Feb 15 16:16:44 dc2.hq.domain.de named[944332]: samba_dlz: added 
> rdataset 87.1.168.192.in-addr.arpa '87.1.168.192.in-addr.arpa. 
> 1200        IN        PTR        BR-FH9Y503.hq.domain.de.'
> Feb 15 16:16:44 dc2.hq.domain.de named[944332]: samba_dlz: committed 
> transaction on zone 1.168.192.in-addr.arpa
> Feb 15 16:17:52 dc2.hq.domain.de named[944332]: samba_dlz: starting 
> transaction on zone hq.domain.de
> Feb 15 16:17:52 dc2.hq.domain.de named[944332]: samba_dlz: disallowing 
> update of signer=RODC\$\@HQ.domain.DE name=rodc.hq.domain.de type=A 
> error=insufficient access rights
> Feb 15 16:17:52 dc2.hq.domain.de named[944332]: client @0x7f39b801cc40 
> 10.1.0.77#49117/key RODC\$\@HQ.domain.DE: updating zone 
> 'hq.domain.de/NONE': update failed: rejected by secure update (REFUSED)
> Feb 15 16:17:52 dc2.hq.domain.de named[944332]: samba_dlz: cancelling 
> transaction on zone hq.domain.de
> Feb 15 16:17:52 dc2.hq.domain.de smbd[1123481]: [2021/02/15 
> 16:17:52.578833,  1] 
> ../../source3/smbd/service.c:355(create_connection_session_info)
> Feb 15 16:17:52 dc2.hq.domain.de smbd[1123481]: 
> create_connection_session_info: guest user (from session setup) not 
> permitted to access this share (IPC$)
> Feb 15 16:17:52 dc2.hq.domain.de smbd[1123481]: [2021/02/15 
> 16:17:52.578922,  1] 
> ../../source3/smbd/service.c:544(make_connection_snum)
> Feb 15 16:17:52 dc2.hq.domain.de smbd[1123481]: 
> create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
> Feb 15 16:17:52 dc2.hq.domain.de smbd[1123482]: [2021/02/15 
> 16:17:52.618969,  1] 
> ../../source3/smbd/service.c:355(create_connection_session_info)
> Feb 15 16:17:52 dc2.hq.domain.de smbd[1123482]: 
> create_connection_session_info: guest user (from session setup) not 
> permitted to access this share (IPC$)
> Feb 15 16:17:52 dc2.hq.domain.de smbd[1123482]: [2021/02/15 
> 16:17:52.619059,  1] 
> ../../source3/smbd/service.c:544(make_connection_snum)
> Feb 15 16:17:52 dc2.hq.domain.de smbd[1123482]: 
> create_connection_session_info failed: NT_STATUS_ACCESS_DENIED


The same goes for the above, it is trying to write to the local database 
and cannot . Have you tried creating the RODC's dns records on a DC (if 
they don't exist) ?

>
>
>
> And on the remote DC I get this:
>
> Feb 15 16:17:52 dc2.hq.domain.de named[944332]: samba_dlz: starting 
> transaction on zone hq.domain.de
> Feb 15 16:17:52 dc2.hq.domain.de named[944332]: samba_dlz: disallowing 
> update of signer=RODC\$\@HQ.domain.DE name=rodc.hq.domain.de type=A 
> error=insufficient access rights
> Feb 15 16:17:52 dc2.hq.domain.de named[944332]: client @0x7f39b801cc40 
> 10.1.0.77#49117/key RODC\$\@HQ.domain.DE: updating zone 
> 'hq.domain.de/NONE': update failed: rejected by secure update (REFUSED)
> Feb 15 16:17:52 dc2.hq.domain.de named[944332]: samba_dlz: cancelling 
> transaction on zone hq.domain.de
> Feb 15 16:17:52 dc2.hq.domain.de smbd[1123481]: [2021/02/15 
> 16:17:52.578833,  1] 
> ../../source3/smbd/service.c:355(create_connection_session_info)
> Feb 15 16:17:52 dc2.hq.domain.de smbd[1123481]: 
> create_connection_session_info: guest user (from session setup) not 
> permitted to access this share (IPC$)
> Feb 15 16:17:52 dc2.hq.domain.de smbd[1123481]: [2021/02/15 
> 16:17:52.578922,  1] 
> ../../source3/smbd/service.c:544(make_connection_snum)
> Feb 15 16:17:52 dc2.hq.domain.de smbd[1123481]: 
> create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
> Feb 15 16:17:52 dc2.hq.domain.de smbd[1123482]: [2021/02/15 
> 16:17:52.618969,  1] 
> ../../source3/smbd/service.c:355(create_connection_session_info)
> Feb 15 16:17:52 dc2.hq.domain.de smbd[1123482]: 
> create_connection_session_info: guest user (from session setup) not 
> permitted to access this share (IPC$)
> Feb 15 16:17:52 dc2.hq.domain.de smbd[1123482]: [2021/02/15 
> 16:17:52.619059,  1] 
> ../../source3/smbd/service.c:544(make_connection_snum)
> Feb 15 16:17:52 dc2.hq.domain.de smbd[1123482]: 
> create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
>
It looks like the RODC is passing its update command to a DC which 
cannot update the records because it does not own the record.

The last part of that seems to have someone (an unknown user) trying to 
connect and being refused, this has nothing to do with your dns problem.

Rowland

More information about the samba mailing list