[Samba] RODC in remote Site

Andrew Bartlett abartlet at samba.org
Mon Feb 15 20:42:17 UTC 2021

On Mon, 2021-02-15 at 15:48 +0100, cn--- via samba wrote:
> Hello All,
> sorry for the long post...
> I have deployed a RODC in a remote site. The Site and the subnet
> were 
> already created but had no DC. I have set up the RODC as I would a 
> normal DC. This is on Contos 8 with Sernet packages. And did a join
> like 
> this:
> samba-tool domain join HQ.DOMAIN.DE RODC --site=DMZ 
> --dns-backend=BIND9_DLZ -U"DOMAIN-02\Administrator"
> This completed successfully. The RODC was created in the Sites and 
> Services app. The replication with one DC is also listed there.

So good so far.

> I can preload users:
> [root at rodc ~]# samba-tool rodc preload cn --server=dc2
> Replicating DN CN=cn,CN=Users,DC=hq,DC=domain,DC=de
> Exop on[CN=cn,CN=Users,DC=hq,DC=domain,DC=de] objects[1]
> linked_values[1]

This shows that the password of the RODC is correct in the domain,
which makes this strange:

> I can wbinfo -u/-g and get all infos. I can auth with wbinfo -a all 
> users that are preloaded and are in "Allowed RODC Password
> Replication 
> Group". However, if a user is not preloaded auth fails.
> [root at rodc ~]# wbinfo -a bir
> Enter bir's password:
> plaintext password authentication failed
> Could not authenticate user bir with plaintext password
> Enter bir's password:
> challenge/response password authentication failed
> wbcAuthenticateUserEx(DOMAIN-02\bir): error code was 
> NT_STATUS_ACCESS_DENIED (0xc0000022, authoritative=0)
> error message was: {Access Denied} A process has requested access to
> an 
> object but has not been granted those access rights.
> Could not authenticate user bir with challenge/response
> While in the logs I see many of this:
> Feb 15 15:43:30 rodc.hq.domain.de winbindd[34442]: [2021/02/15 
> 15:43:30.146704,  1] 
> ../../source3/winbindd/winbindd_cm.c:1310(cm_prepare_connection)
> Feb 15 15:43:30 rodc.hq.domain.de winbindd[34442]:   Failed to
> prepare 
> SMB connection to dc2.hq.domain.de: NT_STATUS_ACCESS_DENIED

This is the bit that will need further diagnosis.  It isn't as simple
wrong password, it will be something about how to connection is being
set up to DC2.

> And finally this:
> Feb 15 15:43:30 rodc.hq.domain.de winbindd[34442]: [2021/02/15 
> 15:43:30.147548,  2] 
> ../../auth/auth_log.c:653(log_authentication_event_human_readable)
> Feb 15 15:43:30 rodc.hq.domain.de winbindd[34442]:   Auth: 
> [winbind,NTLM_AUTH, wbinfo, 34390] user [DOMAIN-02]\[bir] at [Mon,
> 15 
> Feb 2021 15:43:30.147532 CET] with [NTLMv2] status 
> [NT_STATUS_ACCESS_DENIED] workstation [RODC] remote host [unix:]
> mapped 
> to [(null)]\[(null)]. local host [unix:]

I would turn up the logs on the DC and see why it objects.

> This works if the user is preladed.

yes, because a preloaded user is locally cached.

> Is I run this:
> net ads keytab create -k yes
> nothing happens. No Error and no keytab is created.

net ads keytab isn't a supported part of the AD DC, this is tied to the
member server codebase and isn't hooked in to the DC credentials.

Likewise the 'use kerberos keytab' and similar smb.conf entries are not
used in the AD DC mode.

I hope this helps you figure out what is going on here.

Andrew Bartlett

Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source

More information about the samba mailing list