[Samba] RODC User preload fails
Roman Dilken
rdilken at gmx.de
Thu Apr 23 06:57:25 MDT 2015
Hi Denis,
I think the kerberos was really the solution:
Now I get
Exop on[CN=ldapusersrv2(...)] objects[1] linked_values[0]
as the result. The relevant users are in the "allow rodc password
replication" group.
Greetings,
Roman
Am Donnerstag, den 23.04.2015, 13:54 +0200 schrieb Denis Cardon:
> Hi Roman,
>
> > I installed a RODC on my mailserver to have a local authentication for
> > mailusers on the machine which doesn't rely on a always-on-connetion to
> > the office.
> >
> > The problem is now that the user-preload doesn't work so that the RODC
> > is not able to authenticate the users itself:
> >
> > samba-tool rodc preload <user> --server <DC1> -U Administrator
> > Password for [AD\Administrator]:
> > Replicating DN CN=ldapuser(...)
> > ERROR(runtime): Error replicating DN CN=ldapusersrv2(...) - (8453,
> > 'WERR_DS_DRA_ACCESS_DENIED')
>
> Could you try without the -U Administrator flag? The Administrator user
> has no right to see the password hashes of other users. I think the
> command will use by default the krbtgt_xxxx account of the rodc to
> authenticate on the rwdc and load the password hashes.
>
> By the way, have you populated your "allow rodc password replication" group?
>
> Cheers,
>
> Denis
>
> >
> >
>
> --
> Denis Cardon
> Tranquil IT Systems
> Les Espaces Jules Verne, bâtiment A
> 12 avenue Jules Verne
> 44230 Saint Sébastien sur Loire
> tel : +33 (0) 2.40.97.57.55
> http://www.tranquil-it-systems.fr
>
More information about the samba
mailing list