Hi, I installed a RODC on my mailserver to have a local authentication for mailusers on the machine which doesn't rely on a always-on-connetion to the office. The problem is now that the user-preload doesn't work so that the RODC is not able to authenticate the users itself: samba-tool rodc preload <user> --server <DC1> -U Administrator Password for [AD\Administrator]: Replicating DN CN=ldapuser(...) ERROR(runtime): Error replicating DN CN=ldapusersrv2(...) - (8453, 'WERR_DS_DRA_ACCESS_DENIED')
Hi Roman,> I installed a RODC on my mailserver to have a local authentication for > mailusers on the machine which doesn't rely on a always-on-connetion to > the office. > > The problem is now that the user-preload doesn't work so that the RODC > is not able to authenticate the users itself: > > samba-tool rodc preload <user> --server <DC1> -U Administrator > Password for [AD\Administrator]: > Replicating DN CN=ldapuser(...) > ERROR(runtime): Error replicating DN CN=ldapusersrv2(...) - (8453, > 'WERR_DS_DRA_ACCESS_DENIED')Could you try without the -U Administrator flag? The Administrator user has no right to see the password hashes of other users. I think the command will use by default the krbtgt_xxxx account of the rodc to authenticate on the rwdc and load the password hashes. By the way, have you populated your "allow rodc password replication" group? Cheers, Denis> >-- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, b?timent A 12 avenue Jules Verne 44230 Saint S?bastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil-it-systems.fr
Hi Denis, I think the kerberos was really the solution: Now I get Exop on[CN=ldapusersrv2(...)] objects[1] linked_values[0] as the result. The relevant users are in the "allow rodc password replication" group. Greetings, Roman Am Donnerstag, den 23.04.2015, 13:54 +0200 schrieb Denis Cardon:> Hi Roman, > > > I installed a RODC on my mailserver to have a local authentication for > > mailusers on the machine which doesn't rely on a always-on-connetion to > > the office. > > > > The problem is now that the user-preload doesn't work so that the RODC > > is not able to authenticate the users itself: > > > > samba-tool rodc preload <user> --server <DC1> -U Administrator > > Password for [AD\Administrator]: > > Replicating DN CN=ldapuser(...) > > ERROR(runtime): Error replicating DN CN=ldapusersrv2(...) - (8453, > > 'WERR_DS_DRA_ACCESS_DENIED') > > Could you try without the -U Administrator flag? The Administrator user > has no right to see the password hashes of other users. I think the > command will use by default the krbtgt_xxxx account of the rodc to > authenticate on the rwdc and load the password hashes. > > By the way, have you populated your "allow rodc password replication" group? > > Cheers, > > Denis > > > > > > > -- > Denis Cardon > Tranquil IT Systems > Les Espaces Jules Verne, b?timent A > 12 avenue Jules Verne > 44230 Saint S?bastien sur Loire > tel : +33 (0) 2.40.97.57.55 > http://www.tranquil-it-systems.fr >