samba - May 2021 - user to read replication status

Hello:
we are wanting to generate a user that has privileges to be able to 
perform the following operation:
 ?samba-tool drs showrepl -UUser
We have been trying different privileges, from full tree reading, to 
schema administration, but we always get the following error:
ERROR(runtime): DsReplicaGetInfo of type 0 failed - (8453, 
'WERR_DS_DRA_ACCESS_DENIED')
the only permission that obviously works is with domain administrator...
Can you think of any particular permission we should give it? I did not 
find any info on this.
Regards


-- 
Marcos Ariel Negrini
AFIP - Divisi?n Seguridad de Activos
Direcci?n de Seguridad de la Informaci?n
Paseo Colon 635 PB - CP 1063 - CABA

On 06/05/2021 19:28, Marcos Ariel Negrini via samba
wrote:
> Hello:
> we are wanting to generate a user that has privileges to be able to 
> perform the following operation:
> ?samba-tool drs showrepl -UUser
> We have been trying different privileges, from full tree reading, to 
> schema administration, but we always get the following error:
> ERROR(runtime): DsReplicaGetInfo of type 0 failed - (8453, 
> 'WERR_DS_DRA_ACCESS_DENIED')
> the only permission that obviously works is with domain administrator...
> Can you think of any particular permission we should give it? I did 
> not find any info on this.
> Regards
>
>
Use sudo. Add the user as a sudo user and then run the command with the 
machine key e..g. sudo samba-tool drs showrepl -P

Rowland