[Samba] RODC in remote Site
Andrew Bartlett
abartlet at samba.org
Tue Feb 16 07:47:29 UTC 2021
On Tue, 2021-02-16 at 08:24 +0100, cn--- via samba wrote:
> Am 16.02.21 um 08:11 schrieb Andrew Bartlett via samba:
>
> > It will be the 'restrict anonymous = 2' on the DC I suppose. I
> > don't
> > know why winbindd on the RODC isn't authenticating the SMB layer of
> > the
> > connection, and I suppose that makes it a bug (we are almost
> > certainly
> > authenticating the next layer in, the NETLOGON pipe with schannel),
> > but
> > if that fixes it at least we know what is going on.
> >
> > My guess is that we are not NTLMSSP/kerberos authenticating the SMB
> > the
> > netlogon pipe is on because we used to use this to bootstrap
> > authentication of the other pipes (also with schannel) before MS
> > broke
> > that (fixed a security bug actually...).
> >
> > Anyway, try that and use the information to file a bug.
>
> Thanks Andrew. This was it. I will file a bug.
>
>
> Regards
The same pipe (\pipe\netlogon) is used to forward the DNS update
requests so that will explain your DNS trouble also.
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open Source
Solutions
More information about the samba
mailing list