Web lists-archives.com

Re: [Samba] RODC and LDAP via Simple Authentication fails




Am 22.01.2018 um 21:39 schrieb Andrew Bartlett:
> On Mon, 2018-01-22 at 21:30 +0100, Johannes Engel via samba wrote:
>> [2018/01/22 21:15:50.022197,  2]
>> ../source4/auth/ntlm/auth.c:475(auth_check_password_recv)
>>   auth_check_password_recv: sam_failtrusts authentication for user
>> [MYDOMAIN\ldap] FAILED with error NT_STATUS_NO_TRUST_LSA_SECRET,
>> authoritative=1
> Hmm.  Are you sure the RODC's join to the domain is all OK?
Certainly to me it looks ok:

Finding a writeable DC for domain 'my.domain.com'
Found DC dc.my.domain.com
Password for [MYDOMAIN\Administrator]:
workgroup is MYDOMAIN
realm is my.domain.com
Deleted
CN=MYRODC,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=my,DC=domain,DC=com
Adding CN=MYRODC,OU=Domain Controllers,DC=my,DC=domain,DC=com
Adding CN=krbtgt_MYRODC,CN=Users,DC=my,DC=domain,DC=com
Got krbtgt_name=krbtgt_38921
Renaming CN=krbtgt_MYRODC,CN=Users,DC=my,DC=domain,DC=com to
CN=krbtgt_38921,CN=Users,DC=my,DC=domain,DC=com
Adding
CN=MYRODC,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=my,DC=domain,DC=com
Adding CN=NTDS
Settings,CN=MYRODC,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=my,DC=domain,DC=com
Adding CN=RODC Connection (FRS),CN=NTDS
Settings,CN=MYRODC,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=my,DC=domain,DC=com
Adding SPNs to CN=MYRODC,OU=Domain Controllers,DC=my,DC=domain,DC=com
Setting account password for MYRODC$
Enabling account
Calling bare provision
Looking up IPv4 addresses
More than one IPv4 address found. Using 192.168.5.206
Looking up IPv6 addresses
More than one IPv6 address found. Using 2001:1234:5678::1
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
The Kerberos KDC configuration for Samba AD is located at
/var/lib/samba/private/kdc.conf
A Kerberos configuration suitable for Samba AD has been generated at
/var/lib/samba/private/krb5.conf
Provision OK for domain DN DC=my,DC=domain,DC=com
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=my,DC=domain,DC=com]
objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=my,DC=domain,DC=com]
objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=my,DC=domain,DC=com]
objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=my,DC=domain,DC=com]
objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=my,DC=domain,DC=com] objects[402/1638]
linked_values[0/0]
Partition[CN=Configuration,DC=my,DC=domain,DC=com] objects[804/1638]
linked_values[0/0]
Partition[CN=Configuration,DC=my,DC=domain,DC=com] objects[1206/1638]
linked_values[0/0]
Partition[CN=Configuration,DC=my,DC=domain,DC=com] objects[1608/1638]
linked_values[0/2]
Partition[CN=Configuration,DC=my,DC=domain,DC=com] objects[1638/1638]
linked_values[38/38]
Replicating critical objects from the base DN of the domain
Partition[DC=my,DC=domain,DC=com] objects[100/100] linked_values[39/39]
Partition[DC=my,DC=domain,DC=com] objects[502/566] linked_values[0/82]
Partition[DC=my,DC=domain,DC=com] objects[666/566] linked_values[243/243]
Done with always replicated NC (base, config, schema)
Exop on[CN=MYRODC,OU=Domain Controllers,DC=my,DC=domain,DC=com]
objects[1] linked_values[8]
Exop on[CN=krbtgt_38921,CN=Users,DC=my,DC=domain,DC=com] objects[1]
linked_values[0]
Committing SAM database
Sending DsReplicaUpdateRefs for all the replicated partitions
Setting RODC invocationId
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain MYDOMAIN (SID S-1-5-21-2089342896-204912209-1759679801) as
an RODC

Any thoughts?
Best regards
Johannes

Attachment: signature.asc
Description: OpenPGP digital signature

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba