Join Read-Only-Domain-Controller (RODC) on RHEL7

Latest response

Hi,

We successfully run SSSD authentication against RWDCs on many RHEL7 systems.
Apart from some teething problems with special requirements for enumeration (required by IBM MQ)
on a few systems, SSSD works quite well.

One issue though. In special network zones, we have RODCs only. So far, we were unsuccessful
configuring authentication against Active Directory on RHEL7 systems that mus use RODCs.

Has anyone been successful with RODCs on RHEL7?

Cheers and thank you

Responses

Just to clarify. We do not want RHEL7 to become an RODC. We simply want RHEL7 system to join AD as a computer member by connecting to RODC only, similar to what Dell's QAS agent can do via vastool (we use it on RHEL6).

We tried to pre-populate computer object of RHEL7 systems on RWDC before trying SSSD join but that did not help.

Hey,

We have this working in our environment. But we built the server in the domain which had the Writable DC's then moved them to the RO Domain.

We also had to provide the following in the sssd.conf

access_provider = ad enumerate = True ad_server = RO DC server name

Interesting approach. It would have to be approved by our IT Security if we follow this path. With Dell's QAS agent, we can actually precreate computer objects and then join the RODC easily:

/opt/quest/bin/vastool -u MYADMACC -w MYADMPASS join -f -n $(hostname) -s myzone mydomain.dom

Out of interest, how is your enumeration performing?

For IBM MQ we enable enumeration and have very serious performance issues (sssd_be hogging CPU utilization, and very slow logins, on top of SSSD cache frequently "forgetting" about certain groups).

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.