[Samba] setting up a RODC
Stefan Kania
stefan at kania-online.de
Tue Aug 7 15:00:29 UTC 2018
When I start the replication from the other DC it works as you can see:
-------
root at addc-01:~# samba-tool drs replicate rodc-01 addc-01 dc=example,dc=net
Replicate from addc-01 to rodc-01 was successful.
-------
Am 07.08.2018 um 15:26 schrieb Stefan Kania via samba:
> Hello,
>
> I just start testing the setup of an RODC with 4.8.3 (I use the packages
> from Louis). The join works fine. After a reboot of the rodc I can see
> all Objcts with:
> ldbsearch --url=/var/lib/samba/private/sam.ldb
>
> and all users and groups with:
> wbinfo -u
> wbinfo -g
>
> But as soon as I try to test the replication I got this message:
> -----------
> root at rodc-01:/var/lib/samba/private# samba-tool drs showrepl
> offsite\RODC-01
> DSA Options: 0x00000025
> DSA object GUID: ab4da5a2-2755-45b4-9d83-1dec1f869477
> DSA invocationId: 92ae0aeb-beea-4944-b65b-61ad4564a87b
>
> ==== INBOUND NEIGHBORS ====
>
> ERROR(runtime): DsReplicaGetInfo of type 0 failed - (8453,
> 'WERR_DS_DRA_ACCESS_DENIED')
> -----------
>
> If I try to do a replication I see the following messages:
> -----------
> root at rodc-01:/var/lib/samba/private# samba-tool drs replicate rodc-01
> addc-01 dc=example,dc=net
> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
> drsException: DsReplicaSync failed (8453, 'WERR_DS_DRA_ACCESS_DENIED')
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 389,
> in run
> drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
> source_dsa_guid, NC, req_options)
> File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 87,
> in sendDsReplicaSync
> raise drsException("DsReplicaSync failed %s" % estr)
>
> -----------
>
> With "journalctl -f" open I see:
> -----------
> Aug 07 15:16:34 rodc-01 samba[518]: task[dcesrv][518]: [2018/08/07
> 15:16:34.805062, 0]
> ../source4/rpc_server/drsuapi/drsutil.c:109(drs_security_level_check)
> Aug 07 15:16:34 rodc-01 samba[518]: task[dcesrv][518]: DsReplicaSync
> refused for security token (level=10)
> -----------
>
> I use Samba together with bind9 everything is running on Debian9 Systems.
> Here is the smb.conf from the RODC
> -----------
> # Global parameters
> [global]
> netbios name = RODC-01
> realm = EXAMPLE.NET
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
> workgroup = EXAMPLE
>
> [netlogon]
> path = /var/lib/samba/sysvol/example.net/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
> -----------
> I checked all the permissions for the bind9. The Bind is running and can
> access the DNS-DBs
> Did I miss someting? The section inside Samba-wiki is not very good at
> the moment and I could not find any other how to :-(
>
> Any help is welcome :-)
>
> Stefan
>
>
>
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20180807/0e8be68a/signature.sig>
More information about the samba
mailing list