Join a domain as a RODC: Difference between revisions

From SambaWiki
(Moving the RODC section from the 'join as DC' HowTo to a separate page. I'll refresh and complete its content later. Currently it's 1:1 taken from the old page to this new one.)
 
(update RODC page to current (4.7) status and removing confusing 'must' on preload)
 
Line 8: Line 8:


To do that one should do a samba-tool join (or samba-tool domain join), something like this:
To do that one should do a samba-tool join (or samba-tool domain join), something like this:

sudo bin/samba-tool join win.dev RODC -U Administrator --password=%password --target-dir=/home/ant/prefix.win/

or (for newer versions of Samba):


sudo bin/samba-tool domain join win.dev RODC -U Administrator --password=%password --targetdir=/home/ant/prefix.win/
sudo bin/samba-tool domain join win.dev RODC -U Administrator --password=%password --targetdir=/home/ant/prefix.win/
Line 17: Line 13:
* Preloading users for RODC
* Preloading users for RODC


Users' passwords are not cached by default in a RODC environment.
Users' passwords are not cached by default in a RODC environment, meaning their logins will go to a full RW DC for checking until they are cached.

To accomplish that, one should perform the following actions:
To accomplish that, one should perform the following actions:


# Add desired users to the "Allowed RODC Password Replication Group"
# Add desired users to the "Allowed RODC Password Replication Group"
# Add trusted sources to the "Password Replication Policy" under RODC properties
# Add trusted sources to the "Password Replication Policy" under RODC properties
# After the next login, the user's password will be cached.
# You must preload users in your RODC with
# You may preload users in your RODC with
sudo /bin/samba-tool rodc preload myuser --server=myserver.mydomain.com
sudo /bin/samba-tool rodc preload myuser --server=myserver.mydomain.com



Latest revision as of 18:04, 30 November 2017

Joining a domain as a RODC (Status for a work in progress)

For the TODO list see Support RODC TODO

Main features implemented

  • Joining as a RODC to Windows DC

To do that one should do a samba-tool join (or samba-tool domain join), something like this:

sudo bin/samba-tool domain join win.dev RODC -U Administrator --password=%password --targetdir=/home/ant/prefix.win/
  • Preloading users for RODC

Users' passwords are not cached by default in a RODC environment, meaning their logins will go to a full RW DC for checking until they are cached.

To accomplish that, one should perform the following actions:

  1. Add desired users to the "Allowed RODC Password Replication Group"
  2. Add trusted sources to the "Password Replication Policy" under RODC properties
  3. After the next login, the user's password will be cached.
  4. You may preload users in your RODC with
sudo /bin/samba-tool rodc preload myuser --server=myserver.mydomain.com
  • Added support for RODC FAS
  • Added support for unidirectional replication
  • Added support for read-only database

Main features in the TODO list

  • Support Administrator role separation
  • Support Credential caching
  • Join Windows as a RODC in Samba4 domain - blocked by kerberos tgt stuff.