[Samba] R: R: samba remote site client authentication and network browsing problem
Manzini Enrico
emanzini at zensistemi.com
Tue Dec 31 09:42:05 UTC 2024
Ok, but why if i browse the network from the client with the remote rodc and the rwdc used as replication partner for rodc join online, everything work as expected, but if i shutdown the rwdc used for rodc join replication partner offline, client no work anymore?
The join command for the remote rodc RODC-1 is:
samba-tool domain join scratch.lan RODC --server=dc-1.scratch.lan --realm=SCRATCH.LAN --site=REMOTE --option='idmap_ldb:use rfc2307 = yes' -U administrator -W SCRATCH
The situation is as follow (client rebooted):
RODC-1 and DC-1 online:
Client can browse network as expected, for example it can parse DC-2 (the second dc in the central site) shares (netlogon and sysvol) in single sign on
RODC-1 shell:
'samba-tool drs replicate rodc-1 dc-1 dc=scratch,dc=lan -U administrator' works fine
'samba-tool drs replicate rodc-1 dc-2 dc=scratch,dc=lan -U administrator' works fine
RODC-1 online and DC-1 offline:
Client no works anymore, and cannot parse DC-2 shares
RODC-1 shell:
'samba-tool drs replicate rodc-1 dc-2 dc=scratch,dc=lan -U administrator' does not work anymore
ADDITIONAL INFORMATION
We also make a specular test with a pure microsoft windows infrastructure (2 dc's in a central site, and a remote site's rodc), and the problem did not arise
Enrico Manzini
-----Messaggio originale-----
Da: samba <samba-bounces at lists.samba.org> Per conto di Rowland Penny via samba
Inviato: lunedì 30 dicembre 2024 18:03
A: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
Oggetto: Re: [Samba] R: samba remote site client authentication and network browsing problem
On Mon, 30 Dec 2024 16:07:31 +0000
Manzini Enrico via samba <samba at lists.samba.org> wrote:
> Hi Rowland
> We actually use RODC's because we have a customer with hub and spoke
> configuration with 4 RWDC's in the central site, and about 80 remote
> sites with RODC's deployed, all of these with low hardware security,
> sites where the machine can physically can be stolen,
Well, as I said, from my point of view, that is the only valid reason to deploy an RODC.
> so we opted to
> use RODC's machines at the remote sites The connectivity and dns
> resolution works both fine, with or without the dc used as rodc
> replication partner is online or offline We reproduce the customer
> configuration in a internal lab and:
> - linux based deployment works only if the server used as replication
> partner during the rodc domain join is online, afterthat if it is
> offline, the problem we explained before arise
That is something I think you need to explain a bit better, joining an RODC is no different to joining an RWDC and you do not need to specify a replication partner for either, Samba should find the 'best' DC to join and replicate from.
>
> We also test a remote RWDC environment, and:
> - with the remote server configured as RWDC and nota s RODC, the
> problem did not arise
That is because an RWDC will have all the AD records and can supply these without contacting another DC, an RODC needs to 'talk' to an RWDC to get some, if not all the required AD records, which they then 'cache'.
>
> We also test a pure windows environment from scratch and:
> - windows based deployment works fine in both cases
>
If that is the case, then I suggest you get level 10 logs and wire traces and open a Samba bug report, a Samba AD computer should do what a Windows one can (but be aware, Samba not doing something can be down to lack of code to do it and you may have to wait until that code does get created)
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list