Hello,
I just start testing the setup of an RODC with 4.8.3 (I use the packages
from Louis). The join works fine. After a reboot of the rodc I can see
all Objcts with:
ldbsearch --url=/var/lib/samba/private/sam.ldb
and all users and groups with:
wbinfo -u
wbinfo -g
But as soon as I try to test the replication I got this message:
-----------
root at rodc-01:/var/lib/samba/private# samba-tool drs showrepl
offsite\RODC-01
DSA Options: 0x00000025
DSA object GUID: ab4da5a2-2755-45b4-9d83-1dec1f869477
DSA invocationId: 92ae0aeb-beea-4944-b65b-61ad4564a87b
==== INBOUND NEIGHBORS ===
ERROR(runtime): DsReplicaGetInfo of type 0 failed - (8453,
'WERR_DS_DRA_ACCESS_DENIED')
-----------
If I try to do a replication I see the following messages:
-----------
root at rodc-01:/var/lib/samba/private# samba-tool drs replicate rodc-01
addc-01 dc=example,dc=net
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync
failed -
drsException: DsReplicaSync failed (8453, 'WERR_DS_DRA_ACCESS_DENIED')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line
389,
in run
drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
source_dsa_guid, NC, req_options)
File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 87,
in sendDsReplicaSync
raise drsException("DsReplicaSync failed %s" % estr)
-----------
With "journalctl -f" open I see:
-----------
Aug 07 15:16:34 rodc-01 samba[518]: task[dcesrv][518]: [2018/08/07
15:16:34.805062, 0]
../source4/rpc_server/drsuapi/drsutil.c:109(drs_security_level_check)
Aug 07 15:16:34 rodc-01 samba[518]: task[dcesrv][518]: DsReplicaSync
refused for security token (level=10)
-----------
I use Samba together with bind9 everything is running on Debian9 Systems.
Here is the smb.conf from the RODC
-----------
# Global parameters
[global]
netbios name = RODC-01
realm = EXAMPLE.NET
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
workgroup = EXAMPLE
[netlogon]
path = /var/lib/samba/sysvol/example.net/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
-----------
I checked all the permissions for the bind9. The Bind is running and can
access the DNS-DBs
Did I miss someting? The section inside Samba-wiki is not very good at
the moment and I could not find any other how to :-(
Any help is welcome :-)
Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20180807/9c1c7d52/signature.sig>
When I start the replication from the other DC it works as you can see: ------- root at addc-01:~# samba-tool drs replicate rodc-01 addc-01 dc=example,dc=net Replicate from addc-01 to rodc-01 was successful. ------- Am 07.08.2018 um 15:26 schrieb Stefan Kania via samba:> Hello, > > I just start testing the setup of an RODC with 4.8.3 (I use the packages > from Louis). The join works fine. After a reboot of the rodc I can see > all Objcts with: > ldbsearch --url=/var/lib/samba/private/sam.ldb > > and all users and groups with: > wbinfo -u > wbinfo -g > > But as soon as I try to test the replication I got this message: > ----------- > root at rodc-01:/var/lib/samba/private# samba-tool drs showrepl > offsite\RODC-01 > DSA Options: 0x00000025 > DSA object GUID: ab4da5a2-2755-45b4-9d83-1dec1f869477 > DSA invocationId: 92ae0aeb-beea-4944-b65b-61ad4564a87b > > ==== INBOUND NEIGHBORS ===> > ERROR(runtime): DsReplicaGetInfo of type 0 failed - (8453, > 'WERR_DS_DRA_ACCESS_DENIED') > ----------- > > If I try to do a replication I see the following messages: > ----------- > root at rodc-01:/var/lib/samba/private# samba-tool drs replicate rodc-01 > addc-01 dc=example,dc=net > ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - > drsException: DsReplicaSync failed (8453, 'WERR_DS_DRA_ACCESS_DENIED') > File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 389, > in run > drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, > source_dsa_guid, NC, req_options) > File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 87, > in sendDsReplicaSync > raise drsException("DsReplicaSync failed %s" % estr) > > ----------- > > With "journalctl -f" open I see: > ----------- > Aug 07 15:16:34 rodc-01 samba[518]: task[dcesrv][518]: [2018/08/07 > 15:16:34.805062, 0] > ../source4/rpc_server/drsuapi/drsutil.c:109(drs_security_level_check) > Aug 07 15:16:34 rodc-01 samba[518]: task[dcesrv][518]: DsReplicaSync > refused for security token (level=10) > ----------- > > I use Samba together with bind9 everything is running on Debian9 Systems. > Here is the smb.conf from the RODC > ----------- > # Global parameters > [global] > netbios name = RODC-01 > realm = EXAMPLE.NET > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate > workgroup = EXAMPLE > > [netlogon] > path = /var/lib/samba/sysvol/example.net/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > ----------- > I checked all the permissions for the bind9. The Bind is running and can > access the DNS-DBs > Did I miss someting? The section inside Samba-wiki is not very good at > the moment and I could not find any other how to :-( > > Any help is welcome :-) > > Stefan > > > > > >-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20180807/0e8be68a/signature.sig>
Hello Stefan, you need to use "-U" with user from Domain Admin group(maybe it works with other users too, but I didn't test it). Andrej Am 07.08.2018 um 17:00 schrieb Stefan Kania via samba:> When I start the replication from the other DC it works as you can see: > ------- > root at addc-01:~# samba-tool drs replicate rodc-01 addc-01 dc=example,dc=net > Replicate from addc-01 to rodc-01 was successful. > ------- > > Am 07.08.2018 um 15:26 schrieb Stefan Kania via samba: >> Hello, >> >> I just start testing the setup of an RODC with 4.8.3 (I use the packages >> from Louis). The join works fine. After a reboot of the rodc I can see >> all Objcts with: >> ldbsearch --url=/var/lib/samba/private/sam.ldb >> >> and all users and groups with: >> wbinfo -u >> wbinfo -g >> >> But as soon as I try to test the replication I got this message: >> ----------- >> root at rodc-01:/var/lib/samba/private# samba-tool drs showrepl >> offsite\RODC-01 >> DSA Options: 0x00000025 >> DSA object GUID: ab4da5a2-2755-45b4-9d83-1dec1f869477 >> DSA invocationId: 92ae0aeb-beea-4944-b65b-61ad4564a87b >> >> ==== INBOUND NEIGHBORS ===>> >> ERROR(runtime): DsReplicaGetInfo of type 0 failed - (8453, >> 'WERR_DS_DRA_ACCESS_DENIED') >> ----------- >> >> If I try to do a replication I see the following messages: >> ----------- >> root at rodc-01:/var/lib/samba/private# samba-tool drs replicate rodc-01 >> addc-01 dc=example,dc=net >> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - >> drsException: DsReplicaSync failed (8453, 'WERR_DS_DRA_ACCESS_DENIED') >> File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 389, >> in run >> drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, >> source_dsa_guid, NC, req_options) >> File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 87, >> in sendDsReplicaSync >> raise drsException("DsReplicaSync failed %s" % estr) >> >> ----------- >> >> With "journalctl -f" open I see: >> ----------- >> Aug 07 15:16:34 rodc-01 samba[518]: task[dcesrv][518]: [2018/08/07 >> 15:16:34.805062, 0] >> ../source4/rpc_server/drsuapi/drsutil.c:109(drs_security_level_check) >> Aug 07 15:16:34 rodc-01 samba[518]: task[dcesrv][518]: DsReplicaSync >> refused for security token (level=10) >> ----------- >> >> I use Samba together with bind9 everything is running on Debian9 Systems. >> Here is the smb.conf from the RODC >> ----------- >> # Global parameters >> [global] >> netbios name = RODC-01 >> realm = EXAMPLE.NET >> server role = active directory domain controller >> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, >> drepl, winbindd, ntp_signd, kcc, dnsupdate >> workgroup = EXAMPLE >> >> [netlogon] >> path = /var/lib/samba/sysvol/example.net/scripts >> read only = No >> >> [sysvol] >> path = /var/lib/samba/sysvol >> read only = No >> ----------- >> I checked all the permissions for the bind9. The Bind is running and can >> access the DNS-DBs >> Did I miss someting? The section inside Samba-wiki is not very good at >> the moment and I could not find any other how to :-( >> >> Any help is welcome :-) >> >> Stefan >> >> >> >> >> >> > >