[Samba] setting up a RODC

Stefan Kania stefan at kania-online.de
Tue Aug 7 15:44:37 UTC 2018 

Hi Andrej,

then it works, but on a "normal" addc it works without "-U ".

One more Question:
When I do a "host -t srv _ldap._tcp.example.net" I only see my writeable
DCs but not my RODC. So I tested with:
------
ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationid=*)'
--cross-ncs objectguid
------
Found a objectguid for my RODC

-------
host -t CNAME ab4da5a2-2755-45b4-9d83-1dec1f869477._msdcs.example.net
-------
The CNAME is there
Then I did a:
--------
samba_dnsupdate --verbose --all-names
--------
Still no entry for any of the srv-records on my rodc.


Adding Users for password-caching works.
Next Question :-)
Is there any way to see which users loaded with "samba-tool rodc preload
<user> --server=addc01"

I think, thats all (for the moment)

Stefan

Am 07.08.2018 um 17:13 schrieb Andrej Gessel via samba:
> Hello Stefan,
> 
> you need to use "-U" with user from Domain Admin group(maybe it works
> with other users too, but I didn't test it).
> 
> 
> Andrej
> 
> 
> Am 07.08.2018 um 17:00 schrieb Stefan Kania via samba:
>> When I start the replication from the other DC it works as you can see:
>> -------
>> root at addc-01:~# samba-tool drs replicate rodc-01 addc-01
>> dc=example,dc=net
>> Replicate from addc-01 to rodc-01 was successful.
>> -------
>>
>> Am 07.08.2018 um 15:26 schrieb Stefan Kania via samba:
>>> Hello,
>>>
>>> I just start testing the setup of an RODC with 4.8.3 (I use the packages
>>> from Louis). The join works fine. After a reboot of the rodc I can see
>>> all Objcts with:
>>> ldbsearch --url=/var/lib/samba/private/sam.ldb
>>>
>>> and all users and groups with:
>>> wbinfo -u
>>> wbinfo -g
>>>
>>> But as soon as I try to test the replication I got this message:
>>> -----------
>>> root at rodc-01:/var/lib/samba/private# samba-tool drs showrepl
>>> offsite\RODC-01
>>> DSA Options: 0x00000025
>>> DSA object GUID: ab4da5a2-2755-45b4-9d83-1dec1f869477
>>> DSA invocationId: 92ae0aeb-beea-4944-b65b-61ad4564a87b
>>>
>>> ==== INBOUND NEIGHBORS ====
>>>
>>> ERROR(runtime): DsReplicaGetInfo of type 0 failed - (8453,
>>> 'WERR_DS_DRA_ACCESS_DENIED')
>>> -----------
>>>
>>> If I try to do a replication I see the following messages:
>>> -----------
>>> root at rodc-01:/var/lib/samba/private# samba-tool drs replicate rodc-01
>>> addc-01 dc=example,dc=net
>>> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
>>> drsException: DsReplicaSync failed (8453, 'WERR_DS_DRA_ACCESS_DENIED')
>>>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line
>>> 389,
>>> in run
>>>      drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
>>> source_dsa_guid, NC, req_options)
>>>    File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 87,
>>> in sendDsReplicaSync
>>>      raise drsException("DsReplicaSync failed %s" % estr)
>>>
>>> -----------
>>>
>>> With "journalctl -f" open I see:
>>> -----------
>>> Aug 07 15:16:34 rodc-01 samba[518]: task[dcesrv][518]: [2018/08/07
>>> 15:16:34.805062,  0]
>>> ../source4/rpc_server/drsuapi/drsutil.c:109(drs_security_level_check)
>>> Aug 07 15:16:34 rodc-01 samba[518]: task[dcesrv][518]:   DsReplicaSync
>>> refused for security token (level=10)
>>> -----------
>>>
>>> I use Samba together with bind9 everything is running on Debian9
>>> Systems.
>>> Here is the smb.conf from the RODC
>>> -----------
>>> # Global parameters
>>> [global]
>>>          netbios name = RODC-01
>>>          realm = EXAMPLE.NET
>>>          server role = active directory domain controller
>>>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>>>          workgroup = EXAMPLE
>>>
>>> [netlogon]
>>>          path = /var/lib/samba/sysvol/example.net/scripts
>>>          read only = No
>>>
>>> [sysvol]
>>>          path = /var/lib/samba/sysvol
>>>          read only = No
>>> -----------
>>> I checked all the permissions for the bind9. The Bind is running and can
>>> access the DNS-DBs
>>> Did I miss someting? The section inside Samba-wiki is not very good at
>>> the moment and I could not find any other how to :-(
>>>
>>> Any help is welcome :-)
>>>
>>> Stefan

>>



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20180807/3997a130/signature.sig>

More information about the samba mailing list