[Samba] Missing attributes on RODC.

Klaus Ade Johnstad klaus at linuxavdelingen.no
Sun Feb 23 20:53:21 UTC 2020

Den 23.02.2020 21:32, skrev Rowland penny via samba:
> The ldif above, does not have a sAMAccountName attribute.

Good catch, I did have that in an earlier test, but it does not help.

>> If I try to preload it, either by uid, dn or name, all I get is
>> samba-tool rodc preload
>> 'S-1-5-21-3990397597-3173299008-3477321899-53695' --server=dc01
>> ERROR: NamingError: Failed to find account
>> But, it is a group, not a user, so preload might not work at all.
> A group is an account, but looking at the 'preload' code, it seems it
> only works for users.

Right, kind of my suspicion as well, and it makes sense only working for

>> The sync of these attributes work just fine across all our DC, just not
>> the one RODC we have.
> As far as I am aware, most attributes should be replicated apart from
> passwords etc, but there is thing called 'RODC-FAS', perhaps this is
> what is stopping your attributes replicating, more info here:
> https://www.petri.com/modify-the-read-only-domain-controller-filtered-attribute-set-using-adsi-edit

I've been poking around that as well, so far without success. But, the
thing is, that these attributes do get synced for most users, just not
all, so I'm uncertain if FAS is the culprit.

> Rowland

Klaus Ade Johnstad
Klaus at linuxavdelingen.no

More information about the samba mailing list