[Samba] RODC User preload fails

Denis Cardon denis.cardon at tranquil-it-systems.fr
Thu Apr 23 05:54:27 MDT 2015


Hi Roman,

> I installed a RODC on my mailserver to have a local authentication for
> mailusers on the machine which doesn't rely on a always-on-connetion to
> the office.
>
> The problem is now that the user-preload doesn't work so that the RODC
> is not able to authenticate the users itself:
>
> samba-tool rodc preload <user> --server <DC1> -U Administrator
> Password for [AD\Administrator]:
> Replicating DN CN=ldapuser(...)
> ERROR(runtime): Error replicating DN CN=ldapusersrv2(...) - (8453,
> 'WERR_DS_DRA_ACCESS_DENIED')

Could you try without the -U Administrator flag? The Administrator user 
has no right to see the password hashes of other users. I think the 
command will use by default the krbtgt_xxxx account of the rodc to 
authenticate on the rwdc and load the password hashes.

By the way, have you populated your "allow rodc password replication" group?

Cheers,

Denis

>
>

-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr



More information about the samba mailing list