[Samba] Recently joined RODC looses machine accounts

Mitja Tavčar mitja at mttv.it
Tue Dec 3 10:25:35 UTC 2024


Il 03/12/24 10:13, Rowland Penny via samba ha scritto:
> On Tue, 3 Dec 2024 09:15:36 +0100
> Mitja Tavčar via samba <samba at lists.samba.org> wrote:
> 
>> Hi, i have some problems with a recently joined Read Only Domain
>> controller.
>>
>> I had 2 Domain Controllers based on Windows Server 2019 (hosts
>> vmw2srvdc1 an vmw2srvdc2). I and i recently added a new site (PSN)
>> and Read Only DC in this second site based on samba (host lvsrvdc).
> 
> I know that RODCs sound like a good idea, except for two things, they
> were only really designed for a small site user base, but more
> importantly, what happens if the site link goes down for any
> considerable period ?

This is the first time we have used a RODC; our choice was more of a security-oriented one.
The remote site should have about 30 servers, and we consider the connection to be
sufficiently reliable and redundant. It is possible since there was some moment of disconnection
between the various domain controllers while we were fixing the firewalling rules but not prolonged for hours.

> You also haven't told us what Linux distro you are using and how you
> set up the RODC and fileserver, what is in their smb.conf files for
> instance ?

All samba servers are debian12 samba on domain members is 4.17.12-Debian
while on RODC is backports version 4.21.1-Debian-4.21.1+dfsg-2~bpo12+1

The smb.conf of RODC was generate at join time:

# Global parameters
[global]
	dns forwarder = 8.8.8.8 8.8.4.4
	netbios name = LVSRVDC
	realm = INTRA.COMUNE.TRENTO.IT
	server role = active directory domain controller
	workgroup = INTRA

[sysvol]
	path = /var/lib/samba/sysvol
	read only = No

[netlogon]
	path = /var/lib/samba/sysvol/intra.comune.trento.it/scripts
	read only = No

This is one of the fileservers smb.conf.

[global]
    realm = INTRA.COMUNE.TRENTO.IT
    workgroup = INTRA
    security = ADS
    local master = no
    domain master = no
    preferred master = no
    mangling method = hash2
    server string = File server psn-lvsrv39

    idmap config * : backend = tdb
    idmap config * : range = 1000000-2000000
    idmap config INTRA : backend = rid
    idmap config INTRA : range = 10000-99999

    template shell = /bin/bash
    template homedir = /home/%D/%U
    winbind use default domain = no

    winbind enum users = Yes
    winbind enum groups = Yes
    winbind expand groups = 2

    server min protocol = NT1

    log file = /var/log/samba/%M_%U_%R.smbd
    log level = 1

    hosts allow = \
	192.168.0.0/255.255.0.0 \
	10.48.0.0/255.240.0.0

    load printers = no
    printcap name = /dev/null
    disable spoolss = yes

   usershare path =

   deadtime = 60
   use sendfile = true

   include = /etc/samba/fileshares/fsapp.conf


-- 
Mitja Tavčar




More information about the samba mailing list