status of credential replication on RODC

Denis Cardon denis.cardon at tranquil-it-systems.fr
Fri Mar 21 11:47:04 MDT 2014 

Hi everyone,

I was wondering what was the status of the prelod of credentials on 
RODC. I did a test setup with a clean 4.1.6 srvads install and a clean 
4.1.6 srvrodc install, replication and DNS are working fine on the RODC.


However when trying to preload an account on the DC, I had the following 
error.

[root at srvrodc.dcard ~]# samba-tool rodc preload   administrator 
--server=srvrodc.dcardon.local -U Administrator
Password for [DCARDON\Administrator]:
Replicating DN CN=Administrator,CN=Users,DC=dcardon,DC=local
ERROR(<type 'exceptions.TypeError'>): uncaught exception - __init__() 
takes exactly 6 arguments (5 given)
   File 
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", 
line 175, in _run
     return self.run(*args, **kwargs)
   File 
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/rodc.py", 
line 94, in run
     repl = drs_Replicate("ncacn_ip_tcp:%s[seal,print]" % server, lp, 
creds, local_samdb)
A transaction is still active in ldb context [0x95039b8] on 
tdb:///usr/local/samba/private/sam.ldb


Searching the mailing list, there was a patch from Michael Brown 
https://lists.samba.org/archive/samba-technical/2013-November/096322.html .

That patch seems to correct the python missing parameter error, however 
I have a WERR_DS_DRA_SOURCE_DISABLED error afteward :

[root at srvrodc.dcard ~]# samba-tool rodc preload ykarmouta 
--server=srvrodc.dcardon.local  -U administrator
Password for [DCARDON\administrator]:
Replicating DN CN=ykarmouta,CN=Users,DC=dcardon,DC=local
ERROR(runtime): Error replicating DN 
CN=ykarmouta,CN=Users,DC=dcardon,DC=local - (8456, 
'WERR_DS_DRA_SOURCE_DISABLED')


However samba-tool tells me replications is ok on the main DC

[root at srvads.dcard ~]#  samba-tool drs options
Current DSA options: IS_GC
[root at srvrodc.dcard ~]# samba-tool drs options
Current DSA options: IS_GC, DISABLE_OUTBOUND_REPL


Both servers are in version 4.1.6

[root at srvrodc.dcard ~]# samba --version
Version 4.1.6

As per 
https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC#Joining_a_domain_as_a_RODC_.28Status_for_a_work_in_progress.29 
  I added the user to the "Allowed RODC Password Replication Group" and 
added the accounts in the "Password Replication Policy" tab of the RODC 
property windows.

Pushing the sync throught RSAT doesn't work either and fail.

There are people on the list that seems to have been able to make it 
works, I just wanted to know if there are other things that I should be 
aware of to get it working.

Thanks, and carry on the great work!

Denis and Yvan

-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr

More information about the samba-technical mailing list