s4-drs: Working on Support RODC

Fernando J V da Silva fernandojvsilva at yahoo.com.br
Wed Feb 10 10:26:08 MST 2010 

Hi!

I'm thinking about contribute to "Support RODC" (mentioned at DRS ToDo
List). Is there anybody already working on it? Is there any advice
related to which task should I start?

> Support RODC
> A RODC (read-only domain controller) is a potentially very useful use case for Samba4. There is quite a lot of changes in replication and attribute filtering > that should be done when we are a RODC.
> Tasks:
> - Modify the provision script to mimic the dcpromo to RODC operations

Is there any documentation where I could look at for checking what
exactly should be done on provision when it is a RODC?

> - Support for the RODC filtered attribute set
> - Implement marking an attribute as confidential.

I'm thinking about create a separate function at dsdb/common/util.c
for each of the above two tasks ... Then perhaps create other
functions to access those ones from python and perhaps use some tool
(ldbadd, ldbmodify ... ?) to allow users for creating RODC filtered
attrs or marking attrs as confidential ...

> - Create the RODC default filtered attribute set:

Should that RODC default filtered attribute set be created during
provision? If not, where exactly should they be created?


> - Mark as confidential any attributes that you configure as part of the RODC filtered attribute set.
> - Support Administrator role separation - delegate the local administrator of an RODC to domain user or security group without granting that user or group > any rights for the domain or other domain controllers.
> - Unidirectional replication - allow only inbound replication
> - Read-only database - LDAP clients that want to perform a write operation are referred to a writable domain controller in the hub site.
> - Credential caching - By default, an RODC does not store account credentials, except for its own computer account and a special krbtgt account for that
> RODC. You must explicitly allow any other credentials to be cached on that RODC, including the appropriate user, computer, and service accounts, to
> allow the RODC to satisfy authentication and service ticket requests locally.


I'll be glad for any help! :-)


-- 
Fernando J V da Silva
M Sc Computer Science Student
Institute of Computing, State University of Campinas
+55 15 8801-2165

More information about the samba-technical mailing list