[Samba] RODC User preload fails

Denis Cardon denis.cardon at tranquil-it-systems.fr
Thu Apr 23 05:54:27 MDT 2015

Hi Roman,

> I installed a RODC on my mailserver to have a local authentication for
> mailusers on the machine which doesn't rely on a always-on-connetion to
> the office.
> The problem is now that the user-preload doesn't work so that the RODC
> is not able to authenticate the users itself:
> samba-tool rodc preload <user> --server <DC1> -U Administrator
> Password for [AD\Administrator]:
> Replicating DN CN=ldapuser(...)
> ERROR(runtime): Error replicating DN CN=ldapusersrv2(...) - (8453,

Could you try without the -U Administrator flag? The Administrator user 
has no right to see the password hashes of other users. I think the 
command will use by default the krbtgt_xxxx account of the rodc to 
authenticate on the rwdc and load the password hashes.

By the way, have you populated your "allow rodc password replication" group?




Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0)

More information about the samba mailing list