[Samba] RODC User preload fails
Denis Cardon
denis.cardon at tranquil-it-systems.fr
Thu Apr 23 05:54:27 MDT 2015
Hi Roman,
> I installed a RODC on my mailserver to have a local authentication for
> mailusers on the machine which doesn't rely on a always-on-connetion to
> the office.
>
> The problem is now that the user-preload doesn't work so that the RODC
> is not able to authenticate the users itself:
>
> samba-tool rodc preload <user> --server <DC1> -U Administrator
> Password for [AD\Administrator]:
> Replicating DN CN=ldapuser(...)
> ERROR(runtime): Error replicating DN CN=ldapusersrv2(...) - (8453,
> 'WERR_DS_DRA_ACCESS_DENIED')
Could you try without the -U Administrator flag? The Administrator user
has no right to see the password hashes of other users. I think the
command will use by default the krbtgt_xxxx account of the rodc to
authenticate on the rwdc and load the password hashes.
By the way, have you populated your "allow rodc password replication" group?
Cheers,
Denis
>
>
--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr
More information about the samba
mailing list