Join a domain as a RODC: Difference between revisions
From SambaWiki
Mmuehlfeld (talk | contribs) (Moving the RODC section from the 'join as DC' HowTo to a separate page. I'll refresh and complete its content later. Currently it's 1:1 taken from the old page to this new one.) |
(No difference)
|
Revision as of 22:33, 9 November 2014
Joining a domain as a RODC (Status for a work in progress)
For the TODO list see Support RODC TODO
Main features implemented
- Joining as a RODC to Windows DC
To do that one should do a samba-tool join (or samba-tool domain join), something like this:
sudo bin/samba-tool join win.dev RODC -U Administrator --password=%password --target-dir=/home/ant/prefix.win/
or (for newer versions of Samba):
sudo bin/samba-tool domain join win.dev RODC -U Administrator --password=%password --targetdir=/home/ant/prefix.win/
- Preloading users for RODC
Users' passwords are not cached by default in a RODC environment. To accomplish that, one should perform the following actions:
- Add desired users to the "Allowed RODC Password Replication Group"
- Add trusted sources to the "Password Replication Policy" under RODC properties
- You must preload users in your RODC with
sudo /bin/samba-tool rodc preload myuser --server=myserver.mydomain.com
- Added support for RODC FAS
- Added support for unidirectional replication
- Added support for read-only database
Main features in the TODO list
- Support Administrator role separation
- Support Credential caching
- Join Windows as a RODC in Samba4 domain - blocked by kerberos tgt stuff.