[Samba] setting up a RODC

Andrej Gessel andrej.gessel at janztec.com
Tue Aug 7 15:13:29 UTC 2018 

Hello Stefan,

you need to use "-U" with user from Domain Admin group(maybe it works 
with other users too, but I didn't test it).


Andrej


Am 07.08.2018 um 17:00 schrieb Stefan Kania via samba:
> When I start the replication from the other DC it works as you can see:
> -------
> root at addc-01:~# samba-tool drs replicate rodc-01 addc-01 dc=example,dc=net
> Replicate from addc-01 to rodc-01 was successful.
> -------
>
> Am 07.08.2018 um 15:26 schrieb Stefan Kania via samba:
>> Hello,
>>
>> I just start testing the setup of an RODC with 4.8.3 (I use the packages
>> from Louis). The join works fine. After a reboot of the rodc I can see
>> all Objcts with:
>> ldbsearch --url=/var/lib/samba/private/sam.ldb
>>
>> and all users and groups with:
>> wbinfo -u
>> wbinfo -g
>>
>> But as soon as I try to test the replication I got this message:
>> -----------
>> root at rodc-01:/var/lib/samba/private# samba-tool drs showrepl
>> offsite\RODC-01
>> DSA Options: 0x00000025
>> DSA object GUID: ab4da5a2-2755-45b4-9d83-1dec1f869477
>> DSA invocationId: 92ae0aeb-beea-4944-b65b-61ad4564a87b
>>
>> ==== INBOUND NEIGHBORS ====
>>
>> ERROR(runtime): DsReplicaGetInfo of type 0 failed - (8453,
>> 'WERR_DS_DRA_ACCESS_DENIED')
>> -----------
>>
>> If I try to do a replication I see the following messages:
>> -----------
>> root at rodc-01:/var/lib/samba/private# samba-tool drs replicate rodc-01
>> addc-01 dc=example,dc=net
>> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
>> drsException: DsReplicaSync failed (8453, 'WERR_DS_DRA_ACCESS_DENIED')
>>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 389,
>> in run
>>      drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
>> source_dsa_guid, NC, req_options)
>>    File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 87,
>> in sendDsReplicaSync
>>      raise drsException("DsReplicaSync failed %s" % estr)
>>
>> -----------
>>
>> With "journalctl -f" open I see:
>> -----------
>> Aug 07 15:16:34 rodc-01 samba[518]: task[dcesrv][518]: [2018/08/07
>> 15:16:34.805062,  0]
>> ../source4/rpc_server/drsuapi/drsutil.c:109(drs_security_level_check)
>> Aug 07 15:16:34 rodc-01 samba[518]: task[dcesrv][518]:   DsReplicaSync
>> refused for security token (level=10)
>> -----------
>>
>> I use Samba together with bind9 everything is running on Debian9 Systems.
>> Here is the smb.conf from the RODC
>> -----------
>> # Global parameters
>> [global]
>>          netbios name = RODC-01
>>          realm = EXAMPLE.NET
>>          server role = active directory domain controller
>>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>>          workgroup = EXAMPLE
>>
>> [netlogon]
>>          path = /var/lib/samba/sysvol/example.net/scripts
>>          read only = No
>>
>> [sysvol]
>>          path = /var/lib/samba/sysvol
>>          read only = No
>> -----------
>> I checked all the permissions for the bind9. The Bind is running and can
>> access the DNS-DBs
>> Did I miss someting? The section inside Samba-wiki is not very good at
>> the moment and I could not find any other how to :-(
>>
>> Any help is welcome :-)
>>
>> Stefan
>>
>>
>>
>>
>>
>>
>
>

More information about the samba mailing list