Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Samba] Can SAMBA work with 2008 R2 Read Only Domain controller

370 views
Skip to first unread message

hagai yaffe

unread,
Jun 6, 2010, 11:20:02 AM6/6/10
to
Hello,
 
We are planing to utilize Microsoft 2008 R2 Read Only Domain controller, and deploy RODC's in branches.
 
If I would like to have SAMBA servers in those branches, will I be able to add them to the domain (using "net ads join") and work with them, when using the RODC's as domain controllers configured in my smb.conf & krb5.conf?
 
I have looked around and did not find any documentation for SAMBA supporting / not supporting this.
 
I have done some testing and failed (I got "Failed to join domain: failed to connect to AD: Decrypt integrity check failed Ok" from the "net ads join" command), before investing more time in troubleshooting I hoped that someone could assist and tell me if such a configuration is possible.
 
If this is not possible, it would be great to know why.
 
Best Regards,
Hagai



--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Serge Fonville

unread,
Jun 6, 2010, 11:30:01 AM6/6/10
to
Hi,

Have you read http://wiki.samba.org/index.php/Samba4_joining_a_domain ?
# Samba4 joining a domain as a RODC

HTH

Regards,

Serge Fonville

--
http://www.sergefonville.nl

Convince Google!!
They need to support Adsense over SSL
https://www.google.com/adsense/support/bin/answer.py?hl=en&answer=10528
http://www.google.com/support/forum/p/AdSense/thread?tid=1884bc9310d9f923&hl=en

hagai yaffe

unread,
Jun 7, 2010, 2:20:02 AM6/7/10
to
Hello,
 
I am sorry, I was not clear enough.
I am not planing to add the SAMBA server to the domain as a Domain Controller, I would like to add it to the domain as a domain member.
 
How ever, when I try to join the domain when pointing my SAMBA machine to a Microsoft Read Only domain Controller I fail with the error I have mentioned (when pointing to a normal Domain Controller this work, how ever in the planned implementation I might have access only to Microsoft RODC's for joining the domain).  
 
Should this work?
Best Regards,
Hagai

--- On Sun, 6/6/10, hagai yaffe <hag...@yahoo.com> wrote:

Jason Haar

unread,
Jul 2, 2010, 12:50:01 AM7/2/10
to
This is a "me too". We just installed a new CentOS server (running
self-compiled samba-3.5.4 from samba.org) into a remote site that only
has a RODC and although the domain join appeared to work fine, every few
hours it "drops off" the domain.

i.e.

"net ads join" worked
"net ads testjoin" worked

but then hours later "net ads testjoin" returns "Failed to join domain:


failed to connect to AD: Decrypt integrity check failed Ok"

Strangely enough, if I then do

net ads testjoin -S real.remote.dc

that works just fine. Even stranger, immediately doing "net ads
testjoin" starts working again - for a few hours

It looks like the RODC (I know this error occurs with the RODC - "-d9"
shows it) is returning some kind of unexpected errocode when objects
aren't in its cache - and Samba freaks?

Note to Serge: I think hagai is - like me - referring to Samba as a
domain member - not as a domain controller.

Jason


On 06/07/2010 03:19 AM, Serge Fonville wrote:
> Hi,
>
> Have you read http://wiki.samba.org/index.php/Samba4_joining_a_domain ?
> # Samba4 joining a domain as a RODC
>
> HTH
>
> Regards,
>
> Serge Fonville
>
> On Sun, Jun 6, 2010 at 5:12 PM, hagai yaffe <hag...@yahoo.com> wrote:
>> Hello,
>>
>> We are planing to utilize Microsoft 2008 R2 Read Only Domain controller, and deploy RODC's in branches.
>>
>> If I would like to have SAMBA servers in those branches, will I be able to add them to the domain (using "net ads join") and work with them, when using the RODC's as domain controllers configured in my smb.conf & krb5.conf?
>>
>> I have looked around and did not find any documentation for SAMBA supporting / not supporting this.
>>
>> I have done some testing and failed (I got "Failed to join domain: failed to connect to AD: Decrypt integrity check failed Ok" from the "net ads join" command), before investing more time in troubleshooting I hoped that someone could assist and tell me if such a configuration is possible.
>>
>> If this is not possible, it would be great to know why.
>>
>> Best Regards,
>> Hagai
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
>


--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

0 new messages