Web lists-archives.com

Re: [Samba] RODC and LDAP via Simple Authentication fails




Hi Rowland,

thanks a lot for the hint. I will read through this.

Best regards
Johannes


Am 22.01.2018 um 21:22 schrieb Rowland Penny:
> On Mon, 22 Jan 2018 20:36:04 +0100
> Johannes Engel via samba <samba@xxxxxxxxxxxxxxx> wrote:
>
>> Dear all,
>>
>> setting up a DMZ environment I was thinking to use an RODC there for
>> user authentication. One of the application in the DMZ needs to access
>> the directory via LDAP.
>>
>> When I tried to connect to the RODC using LDAP with simple bind, I
>> always received the following error
>>
>> ldap_bind: Invalid credentials (49)
>>         additional info: 80090308: LdapErr: DSID-0C0903A9, comment:
>> AcceptSecurityContext error, data 6fa, v1db1
>>
>> even though the credentials used are correct and do work with the
>> "normal" DCs.
>>
>> I have already added the corresponding user to the group "Allowed RODC
>> Password Replication Group", but that did not change anything...
>>
>> Authentication through Kerberos seems to work, but is not an option
>> for the application, unfortunately.
>>
>> Did I miss anything that prevents my scenario to work by design?
>> Thanks a lot for your help!
>>
>> Best regards
>> Johannes
>>
>>
> I wouldn't do this, the DC (RODC or otherwise) would have to be a
> global catalogue. Try reading this:
>
> https://www.techrepublic.com/article/solutionbase-deploying-domain-controllers-in-a-dmz/
>
> In short, you need to setup a domain in the DMZ and then setup a trust
> between this domain and your other domain.
>
> Rowland
>  


Attachment: signature.asc
Description: OpenPGP digital signature

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba