.. Reminder for header structure:
Parts (H1) : #################### with overline
Chapters (H2) : ******************** with overline
Sections (H3) : ====================
Subsections (H4) : --------------------
Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^
Paragraphs (H6) : """""""""""""""""""""
.. |date| date::
.. meta::
:description: Installing and Configuring Samba-AD RODC on Debian
:keywords: Debian, Samba-AD, configure, documentation, rodc
.. _server_rodc_debian:
.. hint::
This documentation is valid for Samba-AD from version 4.8 onwards.
##################################################
Installing and Configuring Samba-AD RODC on Debian
##################################################
.. attention::
For :abbr:`RODC (Read Only Domain Controller)` support, it is recommended to use a recent version of Samba.
RODC support is generally functional and its robustness continues to improve!
*******************************
Installing the operating system
*******************************
Install a basic Debian machine with only :program:`ssh` activated.
You may follow this :ref:`documentation d’installation pour Debian 64 bits <server_prepare_debian>`.
******************
Preparing the RODC
******************
In this documentation, it is assumed:
* That the existing RWDC server is called *srvads* and that the forest and domain level is in 2008R2. To do this you can run the following command on the RWDC:
.. code-block:: bash
samba-tool domain level show
* That the new server you just installed is called *srvrodc*.
* That the domain is called *mydomain.lan*.
* That a test user is called *myuser*.
In the instructions below, you will replace *mydomain.lan* with your own domain name and *srvrodc* with the machine name of your choice.
.. include:: server_install_samba_debian_repo.rst.inc
Configuring network settings carefully
======================================
* Change :file:`/etc/hostname` to contain the :abbr:`FQDN (Fully Qualified Domain Name)`:
.. code-block:: ini
srvrodc.mydomain.lan
* Modify the :file:`/etc/hosts` file so that it contains the :abbr:`DNS (Domain Name Service)` resolution of the machine’s FQDN on its IP, with the long name then the short name:
.. code-block:: ini
127.0.0.1 localhost
192.168.3.11 srvrodc.mydomain.lan srvrodc
Configuring the DNS
===================
In the file :file:`/etc/resolv.conf` carefully enter the IP address of your DNS server.
.. code-block:: ini
search mydomain.lan
nameserver 192.168.1.11
.. include:: ../server_config_krb_secondary_server.rst.inc
Setting up the RODC service
===========================
* Join the machine to the domain:
.. code-block:: bash
samba-tool domain join mydomain.lan RODC -U MYDOMAIN\\Administrator
* In the file :file:`/usr/local/samba/etc/smb.conf`, add the DNS forwarder:
.. code-block:: ini
dns forwarder = 8.8.8.8
* Launch the Samba service with :command:`/usr/local/samba/sbin/samba`:
.. code-block:: bash
/usr/local/samba/sbin/samba
* Edit :file:`/etc/resolv.conf` to make it point to itself:
.. code-block:: ini
search mydomain.lan
nameserver 127.0.0.1
Testing user password replication on the RODC server
====================================================
* On *srvads*, add a user as a member of the **Allowed RODC Password Replication Group**;
* On *srvrodc*:
.. code-block:: bash
samba-tool rodc preload myuser --server=srvads.mydomain.lan
* If all went well:
.. code-block:: bash
Replicating DN CN=myuser,CN=Users,DC=mondomaine,DC=lan
Exop on[CN=myuser,CN=Users,DC=mondomaine,DC=lan] objects[1] linked_values[0]