[Samba] R: samba remote site client authentication and network browsing problem

Rowland Penny rpenny at samba.org
Mon Dec 30 17:03:20 UTC 2024


On Mon, 30 Dec 2024 16:07:31 +0000
Manzini Enrico via samba <samba at lists.samba.org> wrote:

> Hi Rowland
> We actually use RODC's because we have a customer with hub and spoke
> configuration with 4 RWDC's in the central site, and about 80 remote
> sites with RODC's deployed, all of these with low hardware security,
> sites where the machine can physically can be stolen, 

Well, as I said, from my point of view, that is the only valid reason
to deploy an RODC.
 
> so we opted to
> use RODC's machines at the remote sites The connectivity and dns
> resolution works both fine, with or without the dc used as rodc
> replication partner is online or offline We reproduce the customer
> configuration in a internal lab and:
>  - linux based deployment works only if the server used as
> replication partner during the rodc domain join  is online, afterthat
> if it is offline, the problem we explained before arise

That is something I think you need to explain a bit better, joining an
RODC is no different to joining an RWDC and you do not need to specify a
replication partner for either, Samba should find the 'best' DC to join
and replicate from.

> 
> We also test a remote RWDC environment, and:
>  - with the remote server configured as RWDC and nota s RODC, the
> problem did not arise

That is because an RWDC will have all the AD records and can supply
these without contacting another DC, an RODC needs to 'talk' to an RWDC
to get some, if not all the required AD records, which they then
'cache'.

> 
> We also test a pure windows environment from scratch and:
>  - windows based deployment works fine in both cases
>

If that is the case, then I suggest you get level 10 logs and wire
traces and open a Samba bug report, a Samba AD computer should do what
a Windows one can (but be aware, Samba not doing something can be down
to lack of code to do it and you may have to wait until that code
does get created)

Rowland



More information about the samba mailing list