[Samba] setting up a RODC

Stefan Kania stefan at kania-online.de
Tue Aug 7 15:00:29 UTC 2018 

When I start the replication from the other DC it works as you can see:
-------
root at addc-01:~# samba-tool drs replicate rodc-01 addc-01 dc=example,dc=net
Replicate from addc-01 to rodc-01 was successful.
-------

Am 07.08.2018 um 15:26 schrieb Stefan Kania via samba:
> Hello,
> 
> I just start testing the setup of an RODC with 4.8.3 (I use the packages
> from Louis). The join works fine. After a reboot of the rodc I can see
> all Objcts with:
> ldbsearch --url=/var/lib/samba/private/sam.ldb
> 
> and all users and groups with:
> wbinfo -u
> wbinfo -g
> 
> But as soon as I try to test the replication I got this message:
> -----------
> root at rodc-01:/var/lib/samba/private# samba-tool drs showrepl
> offsite\RODC-01
> DSA Options: 0x00000025
> DSA object GUID: ab4da5a2-2755-45b4-9d83-1dec1f869477
> DSA invocationId: 92ae0aeb-beea-4944-b65b-61ad4564a87b
> 
> ==== INBOUND NEIGHBORS ====
> 
> ERROR(runtime): DsReplicaGetInfo of type 0 failed - (8453,
> 'WERR_DS_DRA_ACCESS_DENIED')
> -----------
> 
> If I try to do a replication I see the following messages:
> -----------
> root at rodc-01:/var/lib/samba/private# samba-tool drs replicate rodc-01
> addc-01 dc=example,dc=net
> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
> drsException: DsReplicaSync failed (8453, 'WERR_DS_DRA_ACCESS_DENIED')
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 389,
> in run
>     drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
> source_dsa_guid, NC, req_options)
>   File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 87,
> in sendDsReplicaSync
>     raise drsException("DsReplicaSync failed %s" % estr)
> 
> -----------
> 
> With "journalctl -f" open I see:
> -----------
> Aug 07 15:16:34 rodc-01 samba[518]: task[dcesrv][518]: [2018/08/07
> 15:16:34.805062,  0]
> ../source4/rpc_server/drsuapi/drsutil.c:109(drs_security_level_check)
> Aug 07 15:16:34 rodc-01 samba[518]: task[dcesrv][518]:   DsReplicaSync
> refused for security token (level=10)
> -----------
> 
> I use Samba together with bind9 everything is running on Debian9 Systems.
> Here is the smb.conf from the RODC
> -----------
> # Global parameters
> [global]
>         netbios name = RODC-01
>         realm = EXAMPLE.NET
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>         workgroup = EXAMPLE
> 
> [netlogon]
>         path = /var/lib/samba/sysvol/example.net/scripts
>         read only = No
> 
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
> -----------
> I checked all the permissions for the bind9. The Bind is running and can
> access the DNS-DBs
> Did I miss someting? The section inside Samba-wiki is not very good at
> the moment and I could not find any other how to :-(
> 
> Any help is welcome :-)
> 
> Stefan
> 
> 
> 
> 
> 
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20180807/0e8be68a/signature.sig>

More information about the samba mailing list