[Samba] R: R: R: samba remote site client authentication and network browsing problem

Manzini Enrico emanzini at zensistemi.com
Thu Jan 2 08:25:56 UTC 2025


Hi Rowland

I try some several test and: 
- tried fsmo transfer from the rwdc used as replication partner to the secondary dc, no luck, problem persist
- tried join with no replication partner specification, no luck, problem persist
	Also during the join procedure the rodc anyway find a domain controller to use as a replication partner (it say "find dc dc_name", and after the join procedure, we could find it as ntds rodc connection object in active directory sites and services)

Also:
- servers dns correctly configured
- client dns correctly configured
- client logon server correctly connected
	The nltest command report the correct rodc server

But the problem explained above persist

Enrico Manzini




-----Messaggio originale-----
Da: samba <samba-bounces at lists.samba.org> Per conto di Rowland Penny via samba
Inviato: martedì 31 dicembre 2024 11:37
A: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
Oggetto: Re: [Samba] R: R: samba remote site client authentication and network browsing problem

On Tue, 31 Dec 2024 09:42:05 +0000
Manzini Enrico via samba <samba at lists.samba.org> wrote:

> Ok, but why if i browse the network from the client with the remote 
> rodc and the rwdc used as replication partner for rodc join online, 
> everything work as expected, but if i shutdown the rwdc used for rodc 
> join replication partner offline,  client no work anymore?
> 

Possibly because the RODC is hard wired to use its replication partner for passwords ? 
Is dns setup correctly ?

> The join command for the remote rodc RODC-1 is:
> samba-tool domain join scratch.lan RODC  --server=dc-1.scratch.lan 
> --realm=SCRATCH.LAN --site=REMOTE --option='idmap_ldb:use rfc2307 = 
> yes' -U administrator -W SCRATCH
> 

You shouldn't have to use '--server=' to join, Samba should find the best DC to use. Once the RODC is joined, it should use itself as its first nameserver.

> The situation is as follow (client rebooted):
> RODC-1 and DC-1 online:
> Client can browse network as expected, for example it can parse DC-2 
> (the second dc in the central site) shares (netlogon and sysvol) in 
> single sign on RODC-1 shell: 'samba-tool drs replicate rodc-1 dc-1 
> dc=scratch,dc=lan -U administrator' works fine 'samba-tool drs 
> replicate rodc-1 dc-2 dc=scratch,dc=lan -U administrator' works fine
> 
> RODC-1 online and DC-1 offline:
> Client no works anymore, and cannot parse DC-2 shares

Is the client using the RODC has its nameserver ?

> RODC-1 shell:
> 'samba-tool drs replicate rodc-1 dc-2 dc=scratch,dc=lan -U 
> administrator' does not work anymore
> 

If the link is up and dns is correct, it should be able to replicate.

> ADDITIONAL INFORMATION
> We also make a specular test with a pure microsoft windows 
> infrastructure (2 dc's in a central site, and a remote site's rodc), 
> and the problem did not arise
> 

If you are sure that your dns is correct and the only difference is that Windows works and Samba doesn't, then I suggest you file a bug report.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



More information about the samba mailing list