[Samba] Recently joined RODC looses machine accounts
Mitja Tavčar
mitja at mttv.it
Tue Dec 3 08:15:36 UTC 2024
Hi, i have some problems with a recently joined Read Only Domain controller.
I had 2 Domain Controllers based on Windows Server 2019 (hosts vmw2srvdc1 an vmw2srvdc2).
I and i recently added a new site (PSN) and Read Only DC in this second site based on samba (host lvsrvdc).
Then i added a fileserver joining as domain member (host lvsrv39) the same site as the new RODC (lvsrvdc).
Performing the join seem ok, but in few hours the new domain member apparently looses his domain account.
I wrote apparently because the issue seems only with the new RODC.
I checked with testjoin command:
root at psn-lvsrv39:~# net ads testjoin
kerberos_kinit_password PSN-LVSRV39$@INTRA.COMUNE.TRENTO.IT failed: Client not found in Kerberos database
Join to domain is not valid: LDAP_INVALID_CREDENTIALS
This happens if i direct the test towards Read write DC in other site (--server vmw2srvdc1)
root at psn-lvsrv39:~# net ads testjoin --server vmw2srvdc1
kerberos_kinit_password PSN-LVSRV39$@INTRA.COMUNE.TRENTO.IT failed: Client not found in Kerberos database
kerberos_kinit_password PSN-LVSRV39$@INTRA.COMUNE.TRENTO.IT failed: Client not found in Kerberos database
Join is OK
If i explicitly send the testjoin towards Read Only DC in the same site (--server lvsrvdc) i see the error
root at psn-lvsrv39:~# net ads testjoin --server lvsrvdc
kerberos_kinit_password PSN-LVSRV39$@INTRA.COMUNE.TRENTO.IT failed: Client not found in Kerberos database
Join to domain is not valid: LDAP_INVALID_CREDENTIALS
So i suspect some replica problems between RODC an both RW DC's. But i'm not sure how to check.
The samba-tool drs showrepl command gives me different results based on whether I add a domain administrator user or not.
Samba tool drs showrepl output on RODC:
root at lvsrvdc:~# samba-tool drs showrepl
ERROR(runtime): DsReplicaGetInfo of type 0 failed - (8453, 'WERR_DS_DRA_ACCESS_DENIED')
root at lvsrvdc:~# samba-tool drs kcc
ERROR(runtime): DsExecuteKCC failed - (8453, 'WERR_DS_DRA_ACCESS_DENIED')
root at lvsrvdc:~# samba-tool drs showrepl -U adminmit
Password for [INTRA\adminmit]:
PSN\LVSRVDC
DSA Options: 0x00000025
DSA object GUID: 7bd5241d-14b1-4bfa-a2af-2fa7a08d5b92
DSA invocationId: 36d43f9c-23e9-482a-a084-cfeddbe41c55
==== INBOUND NEIGHBORS ====
==== OUTBOUND NEIGHBORS ====
==== KCC CONNECTION OBJECTS ====
Connection --
Connection name: VMW2SRVDC1
Enabled : TRUE
Server DNS name : vmw2srvdc1.intra.comune.trento.it
Server DN name : CN=NTDS Settings,CN=VMW2SRVDC1,CN=Servers,CN=TRENTO,CN=Sites,CN=Configuration,DC=intra,DC=comune,DC=trento,DC=it
TransportType: RPC
options: 0x00000000
Warning: No NC replicated for Connection!
Connection --
Connection name: RODC Connection (FRS)
Enabled : TRUE
Server DNS name : vmw2srvdc2.intra.comune.trento.it
Server DN name : CN=NTDS Settings,CN=VMW2SRVDC2,CN=Servers,CN=TRENTO,CN=Sites,CN=Configuration,DC=intra,DC=comune,DC=trento,DC=it
TransportType: RPC
options: 0x00000041
Warning: No NC replicated for Connection!
--
Mitja Tavčar
More information about the samba
mailing list