Join a domain as a RODC: Difference between revisions
From SambaWiki
Mmuehlfeld (talk | contribs) (Moving the RODC section from the 'join as DC' HowTo to a separate page. I'll refresh and complete its content later. Currently it's 1:1 taken from the old page to this new one.) |
(update RODC page to current (4.7) status and removing confusing 'must' on preload) |
||
Line 8: | Line 8: | ||
To do that one should do a samba-tool join (or samba-tool domain join), something like this: |
To do that one should do a samba-tool join (or samba-tool domain join), something like this: |
||
sudo bin/samba-tool join win.dev RODC -U Administrator --password=%password --target-dir=/home/ant/prefix.win/ |
|||
or (for newer versions of Samba): |
|||
sudo bin/samba-tool domain join win.dev RODC -U Administrator --password=%password --targetdir=/home/ant/prefix.win/ |
sudo bin/samba-tool domain join win.dev RODC -U Administrator --password=%password --targetdir=/home/ant/prefix.win/ |
||
Line 17: | Line 13: | ||
* Preloading users for RODC |
* Preloading users for RODC |
||
Users' passwords are not cached by default in a RODC environment. |
Users' passwords are not cached by default in a RODC environment, meaning their logins will go to a full RW DC for checking until they are cached. |
||
To accomplish that, one should perform the following actions: |
To accomplish that, one should perform the following actions: |
||
# Add desired users to the "Allowed RODC Password Replication Group" |
# Add desired users to the "Allowed RODC Password Replication Group" |
||
# Add trusted sources to the "Password Replication Policy" under RODC properties |
# Add trusted sources to the "Password Replication Policy" under RODC properties |
||
# After the next login, the user's password will be cached. |
|||
# You |
# You may preload users in your RODC with |
||
sudo /bin/samba-tool rodc preload myuser --server=myserver.mydomain.com |
sudo /bin/samba-tool rodc preload myuser --server=myserver.mydomain.com |
||
Latest revision as of 18:04, 30 November 2017
Joining a domain as a RODC (Status for a work in progress)
For the TODO list see Support RODC TODO
Main features implemented
- Joining as a RODC to Windows DC
To do that one should do a samba-tool join (or samba-tool domain join), something like this:
sudo bin/samba-tool domain join win.dev RODC -U Administrator --password=%password --targetdir=/home/ant/prefix.win/
- Preloading users for RODC
Users' passwords are not cached by default in a RODC environment, meaning their logins will go to a full RW DC for checking until they are cached.
To accomplish that, one should perform the following actions:
- Add desired users to the "Allowed RODC Password Replication Group"
- Add trusted sources to the "Password Replication Policy" under RODC properties
- After the next login, the user's password will be cached.
- You may preload users in your RODC with
sudo /bin/samba-tool rodc preload myuser --server=myserver.mydomain.com
- Added support for RODC FAS
- Added support for unidirectional replication
- Added support for read-only database
Main features in the TODO list
- Support Administrator role separation
- Support Credential caching
- Join Windows as a RODC in Samba4 domain - blocked by kerberos tgt stuff.