[Samba] R: samba remote site client authentication and network browsing problem
Manzini Enrico
emanzini at zensistemi.com
Mon Dec 30 16:07:31 UTC 2024
Hi Rowland
We actually use RODC's because we have a customer with hub and spoke configuration with 4 RWDC's in the central site, and about 80 remote sites with RODC's deployed, all of these with low hardware security, sites where the machine can physically can be stolen, so we opted to use RODC's machines at the remote sites
The connectivity and dns resolution works both fine, with or without the dc used as rodc replication partner is online or offline
We reproduce the customer configuration in a internal lab and:
- linux based deployment works only if the server used as replication partner during the rodc domain join is online, afterthat if it is offline, the problem we explained before arise
We also test a remote RWDC environment, and:
- with the remote server configured as RWDC and nota s RODC, the problem did not arise
We also test a pure windows environment from scratch and:
- windows based deployment works fine in both cases
Regards
Enrico Manzini
-----Messaggio originale-----
Da: samba <samba-bounces at lists.samba.org> Per conto di Rowland Penny via samba
Inviato: martedì 24 dicembre 2024 15:12
A: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
Oggetto: Re: [Samba] samba remote site client authentication and network browsing problem
On Tue, 24 Dec 2024 11:38:17 +0000
Manzini Enrico via samba <samba at lists.samba.org> wrote:
> Hello,
> we are testing a dc/rodc configuration with Samba AD, but we are stuck
> with a problem that occurs when one of the writable DCs (the one that
> was used as a partner during rodc join) is shutdown: Test
> configuration:
> - writeable dc and read only dc Samba 4.21 installed on
> Debian 12, with two sites configured
> - 2 writetable dc named dc-1 and dc-2 on central site
> - 1 read only dc named rodc-1 on remote site
> - Active directory sites and services configured as expected
> (one central site and one remote site with subnet association)
> - 1 remote client windows 10 named remote-1 (in same site as
> rodc-1)
> - we joined the remote site rodc named rodc-1 using as
> replication partner the writable dc named dc-1
> - we joined the windows 10 client using the read only dc
> named rodc-1
> - we verified that the remote client use the rodc server as
> logon server through nltest /dsgetdc:domain_name
> Problem:
> - if we browse the network from the remote-1 client with the
> rodc and the writable dc used as the rodc replication partner for
> domain join online, everything is ok and the network browsing in
> single sign on works as expected
> - if we browse the network from the remote-1 client with the
> rodc online but the writable dc used as the rodc replication partner
> for domain join offline, network browsing does not work as espected,
> and network browsing of servers in central site (for example dc-2)
> does not work, with the Windows client requesting authentication
> (single sign on still work if browsing using explorer on read only
> domain controller, until it is restarted. After the restart the rodc
> browsing also does not work anymore)
> - — - If we put back online that writable DC, everything goes back
> to normal: single sign on works correctly and the windows client can
> browse every server Do you have any suggestions?
> Thank you for your help
>
> Enrico Manzini
First, what is your reason to use an RODC instead of a RWDC ? If it isn't 'we are afraid the DC might be stolen', then I would give up on the RODC and install a RWDC.
Your AD clients must be able to find their records, as do your users, this mean that, if the network is flaky, machine, user & group records will have to be replicated to the RODC, but the passwords, by default, are not. You can force replication of the passwords, but if you do, you now have something very akin to an RWDC.
So, to put it into a nutshell, I personally would only run an RODC if it was likely to be stolen (in which case, you would have to ask, why do we have anything valuable here ?) and if the dns is rock solid to allow uninterupted communication between the RODC and the other site.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list