Join a domain as a RODC

From SambaWiki
Revision as of 18:04, 30 November 2017 by Abartlet (talk | contribs) (update RODC page to current (4.7) status and removing confusing 'must' on preload)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Joining a domain as a RODC (Status for a work in progress)

For the TODO list see Support RODC TODO

Main features implemented

  • Joining as a RODC to Windows DC

To do that one should do a samba-tool join (or samba-tool domain join), something like this:

sudo bin/samba-tool domain join win.dev RODC -U Administrator --password=%password --targetdir=/home/ant/prefix.win/
  • Preloading users for RODC

Users' passwords are not cached by default in a RODC environment, meaning their logins will go to a full RW DC for checking until they are cached.

To accomplish that, one should perform the following actions:

  1. Add desired users to the "Allowed RODC Password Replication Group"
  2. Add trusted sources to the "Password Replication Policy" under RODC properties
  3. After the next login, the user's password will be cached.
  4. You may preload users in your RODC with
sudo /bin/samba-tool rodc preload myuser --server=myserver.mydomain.com
  • Added support for RODC FAS
  • Added support for unidirectional replication
  • Added support for read-only database

Main features in the TODO list

  • Support Administrator role separation
  • Support Credential caching
  • Join Windows as a RODC in Samba4 domain - blocked by kerberos tgt stuff.