Web lists-archives.com

Re: [Samba] setting up a RODC

Hello Stefan,

you need to use "-U" with user from Domain Admin group(maybe it works with other users too, but I didn't test it).


Am 07.08.2018 um 17:00 schrieb Stefan Kania via samba:
When I start the replication from the other DC it works as you can see:
root@addc-01:~# samba-tool drs replicate rodc-01 addc-01 dc=example,dc=net
Replicate from addc-01 to rodc-01 was successful.

Am 07.08.2018 um 15:26 schrieb Stefan Kania via samba:

I just start testing the setup of an RODC with 4.8.3 (I use the packages
from Louis). The join works fine. After a reboot of the rodc I can see
all Objcts with:
ldbsearch --url=/var/lib/samba/private/sam.ldb

and all users and groups with:
wbinfo -u
wbinfo -g

But as soon as I try to test the replication I got this message:
root@rodc-01:/var/lib/samba/private# samba-tool drs showrepl
DSA Options: 0x00000025
DSA object GUID: ab4da5a2-2755-45b4-9d83-1dec1f869477
DSA invocationId: 92ae0aeb-beea-4944-b65b-61ad4564a87b


ERROR(runtime): DsReplicaGetInfo of type 0 failed - (8453,

If I try to do a replication I see the following messages:
root@rodc-01:/var/lib/samba/private# samba-tool drs replicate rodc-01
addc-01 dc=example,dc=net
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
drsException: DsReplicaSync failed (8453, 'WERR_DS_DRA_ACCESS_DENIED')
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 389,
in run
     drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
source_dsa_guid, NC, req_options)
   File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 87,
in sendDsReplicaSync
     raise drsException("DsReplicaSync failed %s" % estr)


With "journalctl -f" open I see:
Aug 07 15:16:34 rodc-01 samba[518]: task[dcesrv][518]: [2018/08/07
15:16:34.805062,  0]
Aug 07 15:16:34 rodc-01 samba[518]: task[dcesrv][518]:   DsReplicaSync
refused for security token (level=10)

I use Samba together with bind9 everything is running on Debian9 Systems.
Here is the smb.conf from the RODC
# Global parameters
         netbios name = RODC-01
         realm = EXAMPLE.NET
         server role = active directory domain controller
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
         workgroup = EXAMPLE

         path = /var/lib/samba/sysvol/example.net/scripts
         read only = No

         path = /var/lib/samba/sysvol
         read only = No
I checked all the permissions for the bind9. The Bind is running and can
access the DNS-DBs
Did I miss someting? The section inside Samba-wiki is not very good at
the moment and I could not find any other how to :-(

Any help is welcome :-)


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba