[Samba] Missing attributes on RODC.

Rowland penny rpenny at samba.org
Sun Feb 23 20:32:34 UTC 2020


On 23/02/2020 18:54, Klaus Ade Johnstad via samba wrote:
> One such group looks like this:
> samba-tool group show Alle-Eltern
> dn: CN=Alle-Eltern,OU=Kopano kontakter,OU=skole,DC=skole
> objectClass: top
> objectClass: kopanoGroup
> objectClass: posixGroup
> objectClass: group
> cn: Alle-Eltern
> description: Alle-Eltern
> member: UID=M20313,OU=Kopano kontakter,OU=skole,DC=skole
> instanceType: 4
> whenCreated: 20200223164034.0Z
> whenChanged: 20200223164034.0Z
> displayName: Alle-Eltern
> uSNCreated: 834677
> uSNChanged: 834677
> name: Alle-Eltern
> objectGUID: 9085781c-789a-4b1c-a6b0-42eb83c40cbc
> objectSid: S-1-5-21-3990397597-3173299008-3477321899-53695
> sAMAccountType: 268435456
> groupType: -2147483646
> objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=skole
> gidNumber: 19519
> kopanoAccount: 1
> memberOf: CN=kopanobrukere,OU=Groups,OU=skole,DC=skole
> distinguishedName: CN=Alle-Eltern,OU=Kopano kontakter,OU=skole,DC=skole
The ldif above, does not have a sAMAccountName attribute.
>
> If I try to preload it, either by uid, dn or name, all I get is
> samba-tool rodc preload
> 'S-1-5-21-3990397597-3173299008-3477321899-53695' --server=dc01
> ERROR: NamingError: Failed to find account
>
> But, it is a group, not a user, so preload might not work at all.
A group is an account, but looking at the 'preload' code, it seems it 
only works for users.
> The sync of these attributes work just fine across all our DC, just not
> the one RODC we have.

As far as I am aware, most attributes should be replicated apart from 
passwords etc, but there is thing called 'RODC-FAS', perhaps this is 
what is stopping your attributes replicating, more info here:

https://www.petri.com/modify-the-read-only-domain-controller-filtered-attribute-set-using-adsi-edit

Rowland





More information about the samba mailing list