Web lists-archives.com

Re: [Samba] Issues with RODC




Hi Rowland,

Thanks for you answer, specially on a sunday! :-)



On Sun, May 5, 2019 at 11:31 AM Rowland Penny via samba <
samba@xxxxxxxxxxxxxxx> wrote:

> On Sun, 5 May 2019 10:13:07 -0300
> Emerson Kfuri <emersonkfuri@xxxxxxxxx> wrote:
>
> > On Sun, May 5, 2019 at 9:52 AM Rowland Penny via samba <
> > samba@xxxxxxxxxxxxxxx> wrote:
> >
> > > On Sun, 5 May 2019 09:20:37 -0300
> > > Emerson Kfuri via samba <samba@xxxxxxxxxxxxxxx> wrote:
> > >
> > > > Hello,
> > > >
> > > > Recently I started using RODC servers on my environment and
> > > > noticed a few issues with it:
> > > > - lack of LDAP SPNs
> > > > - "samba_dnsupdate" not working with "insufficient access
> > > > rights" (it works from RWDCs)
> > >
> > > Probably because you cannot write to an RODC
> > >
> >
> > Yes! That's the idea! But if these records are not automatically
> > registered, means admin always have to add them manually. This should
> > be documented so...
>
> In the Samba world, working RODC's are relatively new, so things like
> this are still being found.


Yeah! My intuit is just to point out my experience with it. It is my first
time with RODC too. :-)
I don't know how it works on Windows. Do you know if, on a Window Server,
DNS records of RODC are added automatically or manually?
But at least for now, I think manually register should be documented so
RODCs can function properly, right?


>
>
> > >
> > > > - "samba-tool dbcheck" changes instancetype of basically all
> > > > objects from 4 to 0.
> > >
> > > '4' means 'The object is writeable on this directory.', well it
> > > isn't on an RODC, so '0' is probably correct.
> > >
> > > > New replicated objects continues being created with instancetype 4
> > > > and dbcheck continues to change them
> > >
> > > See above.
> > >
> >
> > So why not create these objects already with instancetype 0?
>
> Because they are being replicated in from an RWDC where '4' is correct,
> I would think that that Windows RODC will probably have code to do this
> during replication and, obviously, Samba hasn't yet.
>

I imagine it too. I thought about filling a bug report a for these issues
but wanted to send here first to see it is really a bug or some kind of
misconfiguration on my setup.


> >
> > >
> > > > - "samba-tool drs showrepl" exiting with
> > > > WERR_DS_DRA_ACCESS_DENIED
> > >
> > > Replication is one way into the RODC
>

Yes, but it would be really great if this tool work to show us if inbound
replication is alright.


> > >
> > > > - "samba-tool domain tombstones expunge" is unable to expunge
> > > > expired deleted objects
> > >
> > > This may be a problem, but then again it might not be, to 'delete'
> > > you have to have 'write', but you cannot write to an RODC.
> > >
> >
> > And how to prevent the database from accumulating garbage?
>
> Again, this is probably something that will get fixed down the line,
> but it seems this isn't just a Samba problem, a quick internet search
> turned up the Windows fix for this, demote and rejoin the RODC ;-)


For now I've excluded directly from LDB partitions and then, run dbcheck to
remove dangling links.


>
> >
> > > Are you using the RODC's in the same site as your RWDC's ?
> > > If so, why ?
> > > RODC's are meant to be used where there are security and/or other
> > > concerns, so if you have RWDC's at the same place, why use RODC's ?
> > >
> > >
> > I have 3 sites and all of them has an RWDC and at least one RODC. I
> > use multiple RWDCs to balance write load and multiples RODCs to reduce
> > replication flow. Because of my database size and number of
> > simultaneous clients, I needed to grow the number of controllers to
> > balance LDAP queries since servers became unresponsive due to LDAP
> > memory leaks.
>
> That isn't really how RODC's are meant to be used.
>
> If you have LDAP memory leaks, then you should create a bug report
> or, if there is one, add to an existing bug report, things like this
> will not get fixed unless Samba is told about it.
>
>
I know but I have to keep my setup running, and so I did this.
There is already a bug reported #11232 since version 4.1, but as it is hard
to detect the source of the leak, is still open.


> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


Emerson
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba