[Samba] samba remote site client authentication and network browsing problem

Manzini Enrico emanzini at zensistemi.com
Tue Dec 24 11:38:17 UTC 2024


Hello,
we are testing a dc/rodc configuration with Samba AD, but we are stuck with a problem that occurs when one  of the writable DCs (the one that was used as a partner during rodc join) is shutdown:
 
Test configuration:
-          writeable dc and read only dc Samba 4.21 installed on Debian 12, with two sites configured
-          2 writetable dc named dc-1 and dc-2 on central site
-          1 read only dc named rodc-1 on remote site
-          Active directory sites and services configured as expected (one central site and one remote site with subnet association)
-          1 remote client windows 10 named remote-1 (in same site as rodc-1)
 
 -          we joined the remote site rodc named rodc-1 using  as replication partner the writable dc named dc-1
-          we joined the windows 10 client using the read only dc named rodc-1
-          we verified that the remote client use the rodc server as logon server through nltest /dsgetdc:domain_name
 
Problem:
-          if we browse the network from the remote-1 client with the rodc and the writable dc used as the rodc replication partner for domain join online, everything is ok and the network browsing in single sign on works as expected
-          if we browse the network from the remote-1 client with the rodc online but the writable dc used as the rodc replication partner for domain join offline, network browsing does not work as espected, and network browsing of servers in central site (for example dc-2) does not work, with the Windows client requesting authentication (single sign on still work if browsing using explorer on read only domain controller, until it is restarted. After the restart the rodc browsing also does not work anymore)
 - — -    If we put back online that writable DC, everything goes back to normal: single sign on works correctly and the windows client can browse every server
 
Do you have any suggestions?
Thank you for your help

Enrico Manzini


More information about the samba mailing list