Join a domain as a RODC

Revision as of 22:33, 9 November 2014 by Mmuehlfeld (talk | contribs) (Moving the RODC section from the 'join as DC' HowTo to a separate page. I'll refresh and complete its content later. Currently it's 1:1 taken from the old page to this new one.)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Joining a domain as a RODC (Status for a work in progress)

For the TODO list see Support RODC TODO

Main features implemented

  • Joining as a RODC to Windows DC

To do that one should do a samba-tool join (or samba-tool domain join), something like this:

sudo bin/samba-tool join win.dev RODC -U Administrator --password=%password --target-dir=/home/ant/prefix.win/

or (for newer versions of Samba):

sudo bin/samba-tool domain join win.dev RODC -U Administrator --password=%password --targetdir=/home/ant/prefix.win/
  • Preloading users for RODC

Users' passwords are not cached by default in a RODC environment. To accomplish that, one should perform the following actions:

  1. Add desired users to the "Allowed RODC Password Replication Group"
  2. Add trusted sources to the "Password Replication Policy" under RODC properties
  3. You must preload users in your RODC with
sudo /bin/samba-tool rodc preload myuser --server=myserver.mydomain.com
  • Added support for RODC FAS
  • Added support for unidirectional replication
  • Added support for read-only database

Main features in the TODO list

  • Support Administrator role separation
  • Support Credential caching
  • Join Windows as a RODC in Samba4 domain - blocked by kerberos tgt stuff.