[Samba] R: R: samba remote site client authentication and network browsing problem
Rowland Penny
rpenny at samba.org
Tue Dec 31 10:36:51 UTC 2024
On Tue, 31 Dec 2024 09:42:05 +0000
Manzini Enrico via samba <samba at lists.samba.org> wrote:
> Ok, but why if i browse the network from the client with the remote
> rodc and the rwdc used as replication partner for rodc join online,
> everything work as expected, but if i shutdown the rwdc used for rodc
> join replication partner offline, client no work anymore?
>
Possibly because the RODC is hard wired to use its replication partner
for passwords ?
Is dns setup correctly ?
> The join command for the remote rodc RODC-1 is:
> samba-tool domain join scratch.lan RODC --server=dc-1.scratch.lan
> --realm=SCRATCH.LAN --site=REMOTE --option='idmap_ldb:use rfc2307 =
> yes' -U administrator -W SCRATCH
>
You shouldn't have to use '--server=' to join, Samba should find the
best DC to use. Once the RODC is joined, it should use itself as its
first nameserver.
> The situation is as follow (client rebooted):
> RODC-1 and DC-1 online:
> Client can browse network as expected, for example it can parse DC-2
> (the second dc in the central site) shares (netlogon and sysvol) in
> single sign on RODC-1 shell: 'samba-tool drs replicate rodc-1 dc-1
> dc=scratch,dc=lan -U administrator' works fine 'samba-tool drs
> replicate rodc-1 dc-2 dc=scratch,dc=lan -U administrator' works fine
>
> RODC-1 online and DC-1 offline:
> Client no works anymore, and cannot parse DC-2 shares
Is the client using the RODC has its nameserver ?
> RODC-1 shell:
> 'samba-tool drs replicate rodc-1 dc-2 dc=scratch,dc=lan -U
> administrator' does not work anymore
>
If the link is up and dns is correct, it should be able to replicate.
> ADDITIONAL INFORMATION
> We also make a specular test with a pure microsoft windows
> infrastructure (2 dc's in a central site, and a remote site's rodc),
> and the problem did not arise
>
If you are sure that your dns is correct and the only difference is
that Windows works and Samba doesn't, then I suggest you file a bug
report.
Rowland
More information about the samba
mailing list