[Samba] setting up a RODC

Stefan Kania stefan at kania-online.de
Tue Aug 7 13:26:42 UTC 2018


I just start testing the setup of an RODC with 4.8.3 (I use the packages
from Louis). The join works fine. After a reboot of the rodc I can see
all Objcts with:
ldbsearch --url=/var/lib/samba/private/sam.ldb

and all users and groups with:
wbinfo -u
wbinfo -g

But as soon as I try to test the replication I got this message:
root at rodc-01:/var/lib/samba/private# samba-tool drs showrepl
DSA Options: 0x00000025
DSA object GUID: ab4da5a2-2755-45b4-9d83-1dec1f869477
DSA invocationId: 92ae0aeb-beea-4944-b65b-61ad4564a87b


ERROR(runtime): DsReplicaGetInfo of type 0 failed - (8453,

If I try to do a replication I see the following messages:
root at rodc-01:/var/lib/samba/private# samba-tool drs replicate rodc-01
addc-01 dc=example,dc=net
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
drsException: DsReplicaSync failed (8453, 'WERR_DS_DRA_ACCESS_DENIED')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 389,
in run
    drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
source_dsa_guid, NC, req_options)
  File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 87,
in sendDsReplicaSync
    raise drsException("DsReplicaSync failed %s" % estr)


With "journalctl -f" open I see:
Aug 07 15:16:34 rodc-01 samba[518]: task[dcesrv][518]: [2018/08/07
15:16:34.805062,  0]
Aug 07 15:16:34 rodc-01 samba[518]: task[dcesrv][518]:   DsReplicaSync
refused for security token (level=10)

I use Samba together with bind9 everything is running on Debian9 Systems.
Here is the smb.conf from the RODC
# Global parameters
        netbios name = RODC-01
        realm = EXAMPLE.NET
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
        workgroup = EXAMPLE

        path = /var/lib/samba/sysvol/example.net/scripts
        read only = No

        path = /var/lib/samba/sysvol
        read only = No
I checked all the permissions for the bind9. The Bind is running and can
access the DNS-DBs
Did I miss someting? The section inside Samba-wiki is not very good at
the moment and I could not find any other how to :-(

Any help is welcome :-)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20180807/9c1c7d52/signature.sig>

More information about the samba mailing list