.. Reminder for header structure:        
  Parts (H1)          : #################### with overline
  Chapters (H2)       : ******************** with overline
  Sections (H3)       : ====================
  Subsections (H4)    : --------------------
  Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^
  Paragraphs (H6)     : """""""""""""""""""""

.. |date| date::

.. meta::
  :description: Installing and configuring a Samba-AD RODC on RedHat or derivatives
  :keywords: RedHat10, RHEL10, RedHat9, RHEL9, RHEL8, AlmaLinux8, CentOS8, CloudOS8, Samba-AD, configure, documentation, RODC
  
.. _server_rodc_redhat:

####################################################################
Installing and configuring a Samba-AD RODC on Redhat or derivatives
####################################################################

.. note::

  EnterpriseLinux8 distribution and derivatives do not yet embed Samba-AD packages.
  Indeed Samba-AD relies on Heimdal Kerberos for Active Directory support while RedHat only distributes and supports products based on Kerberos-MIT.

.. include:: samba_config_server-server_prepare_redhat.rst.inc

.. include:: samba_config_server-samba_config_server-server_install_samba_redhat_repo.rst.inc

.. attention::

  For :abbr:`RODC (Read Only Domain Controller)` support, it is imperative to use a version of Samba higher than 4.9.
  The RODC support is globally functional but it is not complete, it lacks NTLM authentication forwarding when the password hash has not been synchronized.

***************************
Setting up the RODC service
***************************

* Configure the :file:`/etc/resolv.conf` file by pointing to your RW domain controller.

* Join the machine to the domain:

  .. code-block:: bash

    samba-tool domain join mydomain.lan RODC -U MYDOMAIN\\Administrator

* In :file:`/etc/samba/smb.conf`, add the DNS forwarder:

  .. code-block:: ini

    dns forwarder = 8.8.8.8

* Start the Samba service with :command:`systemctl start samba`.

* Edit :file:`/etc/resolv.conf` to make it point to itself:

  .. code-block:: ini

    search mydomain.lan
    nameserver 127.0.0.1

****************************************************
Testing user password replication on the RODC server
****************************************************

* On *srvads*, add a user as a member of the **Allowed RODC Password Replication Group**.

* On *srvrodc*:

  .. code-block:: bash

    samba-tool rodc preload myuser --server=srvads.mydomain.lan

* If all went well:

  .. code-block:: bash

    Replicating DN CN=myuser,CN=Users,DC=mondomaine,DC=lan
    Exop on[CN=myuser,CN=Users,DC=mondomaine,DC=lan] objects[1] linked_values[0]
