Web lists-archives.com

Re: [Samba] RODC and LDAP via Simple Authentication fails




On Mon, 22 Jan 2018 20:36:04 +0100
Johannes Engel via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Dear all,
> 
> setting up a DMZ environment I was thinking to use an RODC there for
> user authentication. One of the application in the DMZ needs to access
> the directory via LDAP.
> 
> When I tried to connect to the RODC using LDAP with simple bind, I
> always received the following error
> 
> ldap_bind: Invalid credentials (49)
>         additional info: 80090308: LdapErr: DSID-0C0903A9, comment:
> AcceptSecurityContext error, data 6fa, v1db1
> 
> even though the credentials used are correct and do work with the
> "normal" DCs.
> 
> I have already added the corresponding user to the group "Allowed RODC
> Password Replication Group", but that did not change anything...
> 
> Authentication through Kerberos seems to work, but is not an option
> for the application, unfortunately.
> 
> Did I miss anything that prevents my scenario to work by design?
> Thanks a lot for your help!
> 
> Best regards
> Johannes
> 
> 

I wouldn't do this, the DC (RODC or otherwise) would have to be a
global catalogue. Try reading this:

https://www.techrepublic.com/article/solutionbase-deploying-domain-controllers-in-a-dmz/

In short, you need to setup a domain in the DMZ and then setup a trust
between this domain and your other domain.

Rowland
 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba