Page 1 sur 1

ldapsearch sur RODC

Publié : 09 juin 2020 - 14:24
par matth_94
Bonjour,

Je viens de créer un rodc connecter sur un ad1 tout les deux en version 4.11.6 et je souhaiterai pouvoir connecter mes appli en ldap sur le rodc.
Est-ce que cela est envisageable?

Merci d'avance pour vos retours d'experience car pour le moment cela ne fonctionne pas dans mes tests, j'ai ce genre de retour sur ma commande ldapsearch :

ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 40, v1db1

et ce genre de log :

[2020/06/09 12:18:46.845786, 3] ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2020/06/09 12:18:46.850433, 3] ../../source4/auth/ntlm/auth.c:240(auth_check_password_send)
auth_check_password_send: Checking password for unmapped user [(null)]\[adm-test@domain.local]@[(null)]
auth_check_password_send: user is: [DOMAIN]\[adm-test]@[(null)]
[2020/06/09 12:18:46.852915, 1] ../../source4/dsdb/samdb/ldb_modules/rootdse.c:518(rootdse_add_dynamic)
rootdse_add_dynamic: Failed to convert GUID into full DN in rootDSE for dsServiceName: <GUID=748b1765-24c5-44f0-b509-da38bf3e77e9>: Base-DN '<GUID=748b1765-24c5-44f0-b509-da38bf3e77e9>' not found
[2020/06/09 12:18:46.853228, 1] ../../source4/dsdb/common/util.c:1397(samdb_ntds_settings_dn)
Searching for dsServiceName in rootDSE failed: Failed to find full DN for dsServiceName: <GUID=748b1765-24c5-44f0-b509-da38bf3e77e9>
[2020/06/09 12:18:46.853401, 1] ../../source4/dsdb/common/util.c:1418(samdb_ntds_settings_dn)
Failed to find our own NTDS Settings DN in the ldb!
[2020/06/09 12:18:46.853660, 3] ../../source4/dsdb/repl/drepl_secret.c:145(drepl_repl_secret)
../../source4/dsdb/repl/drepl_secret.c:145: started secret replication for CN=adm-test,OU=SYSTEME,OU=USERS,OU=YS,DC=domain,DC=local
[2020/06/09 12:18:46.854850, 5] ../../source4/auth/ntlm/auth.c:69(auth_get_challenge)
auth_get_challenge: returning previous challenge by module random (normal)
[2020/06/09 12:18:46.855007, 5] ../../source4/auth/ntlm/auth.c:69(auth_get_challenge)
auth_get_challenge: returning previous challenge by module random (normal)
[2020/06/09 12:18:46.855255, 5] ../../source3/winbindd/winbindd_irpc.c:210(wb_irpc_SamLogon)
wb_irpc_SamLogon called
[2020/06/09 12:18:46.866485, 3] ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
ldb_wrap open of idmap.ldb
[2020/06/09 12:18:46.949594, 3] ../../source4/dsdb/repl/drepl_secret.c:53(drepl_repl_secret_callback)
../../source4/dsdb/repl/drepl_secret.c:53: repl secret failed for user CN=adm-test,OU=SYSTEME,OU=USERS,OU=YS,DC=domain,DC=local - WERR_DS_DRA_BAD_DN: extended_ret[0x0





[2020/06/09 12:18:50.424578, 0] ../../source3/winbindd/winbindd_irpc.c:55(wb_irpc_forward_callback)
RPC callback failed for winbind_SamLogon - NT_STATUS_CONNECTION_DISCONNECTED
[2020/06/09 12:18:50.426286, 2] ../../source4/auth/ntlm/auth.c:472(auth_check_password_recv)
auth_check_password_recv: winbind authentication for user [DOMAIN\adm-test] FAILED with error NT_STATUS_CONNECTION_DISCONNECTED, authoritative=1
[2020/06/09 12:18:50.426364, 2] ../../auth/auth_log.c:635(log_authentication_event_human_readable)
Auth: [LDAP,simple bind/TLS] user [(null)]\[adm-test@domain.local] at [Tue, 09 Jun 2020 12:18:50.426344 UTC] with [Plaintext] status [NT_STATUS_CONNECTION_DISCONNECTED] workstation [(null)] remote host [ipv4:127.0.0.1:57600] mapped to [DOMAIN]\[adm-test]. local host [ipv4:127.0.1.1:389]
{"timestamp": "2020-06-09T12:18:50.426440+0000", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "0", "logonType": 8, "status": "NT_STATUS_CONNECTION_DISCONNECTED", "localAddress": "ipv4:127.0.1.1:389", "remoteAddress": "ipv4:127.0.0.1:57600", "serviceDescription": "LDAP", "authDescription": "simple bind/TLS", "clientDomain": null, "clientAccount": "adm-test@domain.local", "workstation": null, "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "adm-test", "mappedDomain": "DOMAIN", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "Plaintext", "duration": 3576941}}
[2020/06/09 12:18:50.428280, 3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection - 'ldapsrv_call_wait_done: call->wait_recv() - NT_STATUS_LOCAL_DISCONNECT'



J'ai testé différent paramétrage mais je n'arrive pas a faire fonctionner le ldap.


Toute aide sera apprécié.

Re: ldapsearch sur RODC

Publié : 09 juin 2020 - 17:33
par matth_94
Finalement j'ai pu réussir en sortant le compte test des groupes admins qui ne peuvent pas dans ce cas être "Allowed RODC Password Replication Group".

Re: ldapsearch sur RODC

Publié : 09 juin 2020 - 21:12
par vcardon
matth_94 a écrit : 09 juin 2020 - 17:33 Finalement j'ai pu réussir en sortant le compte test des groupes admins qui ne peuvent pas dans ce cas être "Allowed RODC Password Replication Group".
VICTORY