[Samba] R: R: R: samba remote site client authentication and network browsing problem
Manzini Enrico
emanzini at zensistemi.com
Thu Jan 2 08:25:56 UTC 2025
Hi Rowland
I try some several test and:
- tried fsmo transfer from the rwdc used as replication partner to the secondary dc, no luck, problem persist
- tried join with no replication partner specification, no luck, problem persist
Also during the join procedure the rodc anyway find a domain controller to use as a replication partner (it say "find dc dc_name", and after the join procedure, we could find it as ntds rodc connection object in active directory sites and services)
Also:
- servers dns correctly configured
- client dns correctly configured
- client logon server correctly connected
The nltest command report the correct rodc server
But the problem explained above persist
Enrico Manzini
-----Messaggio originale-----
Da: samba <samba-bounces at lists.samba.org> Per conto di Rowland Penny via samba
Inviato: martedì 31 dicembre 2024 11:37
A: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
Oggetto: Re: [Samba] R: R: samba remote site client authentication and network browsing problem
On Tue, 31 Dec 2024 09:42:05 +0000
Manzini Enrico via samba <samba at lists.samba.org> wrote:
> Ok, but why if i browse the network from the client with the remote
> rodc and the rwdc used as replication partner for rodc join online,
> everything work as expected, but if i shutdown the rwdc used for rodc
> join replication partner offline, client no work anymore?
>
Possibly because the RODC is hard wired to use its replication partner for passwords ?
Is dns setup correctly ?
> The join command for the remote rodc RODC-1 is:
> samba-tool domain join scratch.lan RODC --server=dc-1.scratch.lan
> --realm=SCRATCH.LAN --site=REMOTE --option='idmap_ldb:use rfc2307 =
> yes' -U administrator -W SCRATCH
>
You shouldn't have to use '--server=' to join, Samba should find the best DC to use. Once the RODC is joined, it should use itself as its first nameserver.
> The situation is as follow (client rebooted):
> RODC-1 and DC-1 online:
> Client can browse network as expected, for example it can parse DC-2
> (the second dc in the central site) shares (netlogon and sysvol) in
> single sign on RODC-1 shell: 'samba-tool drs replicate rodc-1 dc-1
> dc=scratch,dc=lan -U administrator' works fine 'samba-tool drs
> replicate rodc-1 dc-2 dc=scratch,dc=lan -U administrator' works fine
>
> RODC-1 online and DC-1 offline:
> Client no works anymore, and cannot parse DC-2 shares
Is the client using the RODC has its nameserver ?
> RODC-1 shell:
> 'samba-tool drs replicate rodc-1 dc-2 dc=scratch,dc=lan -U
> administrator' does not work anymore
>
If the link is up and dns is correct, it should be able to replicate.
> ADDITIONAL INFORMATION
> We also make a specular test with a pure microsoft windows
> infrastructure (2 dc's in a central site, and a remote site's rodc),
> and the problem did not arise
>
If you are sure that your dns is correct and the only difference is that Windows works and Samba doesn't, then I suggest you file a bug report.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list