Re: [Samba] Issues with RODC

On 05/05/2019 05:14 PM, Emerson Kfuri via samba wrote:
Hi Rowland,

Thanks for you answer, specially on a sunday! :-)

On Sun, May 5, 2019 at 11:31 AM Rowland Penny via samba <
samba@xxxxxxxxxxxxxxx> wrote:

On Sun, 5 May 2019 10:13:07 -0300
Emerson Kfuri <emersonkfuri@xxxxxxxxx> wrote:

On Sun, May 5, 2019 at 9:52 AM Rowland Penny via samba <
samba@xxxxxxxxxxxxxxx> wrote:

On Sun, 5 May 2019 09:20:37 -0300
Emerson Kfuri via samba <samba@xxxxxxxxxxxxxxx> wrote:


Recently I started using RODC servers on my environment and
noticed a few issues with it:
- lack of LDAP SPNs
- "samba_dnsupdate" not working with "insufficient access
rights" (it works from RWDCs)

Probably because you cannot write to an RODC

Yes! That's the idea! But if these records are not automatically
registered, means admin always have to add them manually. This should
be documented so...

In the Samba world, working RODC's are relatively new, so things like
this are still being found.

Yeah! My intuit is just to point out my experience with it. It is my first
time with RODC too. :-)
I don't know how it works on Windows. Do you know if, on a Window Server,
DNS records of RODC are added automatically or manually?
But at least for now, I think manually register should be documented so
RODCs can function properly, right?

Good Morning.

I've tested RODC functionality using samba-4.9.4 and samba-4.11.0pre1-GIT-f1a1c300e19 built on Debian 9. The builds using the internal Heimdal KDC and the internal DNS backend.

For me there's no lack of LDAP SPNs and samba_dnsupdate works as expected, except the GC SRV entry isn't created. But this seems intended (why?), look at source4/scripting/bin/samba_dnsupdate line 699.

You must configure dns forwarder to get it working.
In the Windows world DNS records of RODCs are added automatically.



