Web lists-archives.com

Re: [Samba] dsdb_access Access check failed on CN=Configuration




Try again with : 

samba-tool ldapcmp dc5.$(hostname -d) dc3.$(hostname -d) DNSFOREST
As in dc5.your.dns.domain.tld ... 

Whats the result.? 
If it fails, please tell os your: 

OS? 
Content of 

/etc/hosts
/etc/resolv.conf
/etc/nsswitch.conf 
/etc/samba/smb.conf


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens Mike 
> Ray via samba
> Verzonden: woensdag 22 mei 2019 16:48
> Aan: samba
> Onderwerp: [Samba] dsdb_access Access check failed on CN=Configuration
> 
> All-
> 
> I've got 3 DCs (version 4.9.6-12) that, prior to today, were 
> running without issue (as best I could tell).
> 
> Every night I run a few commands to monitor the status of the 
> DCs/domain. I run:
> * dbcheck --cross-ncs
> * samba-tool drs kcc <other DCs>
> * samba-tool ldapcmp <local DC> <other DCs> 
> (domain|configuration|schema|dnsdomain|dnsforest)
> * samba-tool drs showrepl
> 
> These commands are run on each DC and logged.
> 
> Since upgrading to this version about a month ago, I have not 
> seen issues since offsetting the CRONs (offsetting the run 
> times fixed an intermittent error with the KCC command).
> 
> However, this morning, I find that the LDAPCMP command is 
> failing on all 3 DCs.
> 
> The error is the same on all DCs and the same for domain, 
> configuration, etc:
> 
>  # samba-tool ldapcmp dc5 DC3 DNSFOREST
> ERROR(ldb): uncaught exception - LDAP error 32 
> LDAP_NO_SUCH_OBJECT -  <dsdb_access: Access check failed on 
> CN=Configuration,DC=domain,DC=local> <>
>   File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
> line 177, in _run
>     return self.run(*args, **kwargs)
>   File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", 
> line 972, in run
>     outf=self.outf, errf=self.errf)
>   File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", 
> line 79, in __init__
>     self.domain_netbios = self.find_netbios()
>   File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", 
> line 115, in find_netbios
>     scope=SCOPE_SUBTREE, attrs=["nETBIOSName"])
> 
> All the other commands noted above run without issue.
> 
> I used "samba-tool visual reps" and found that for some DSAs 
> that, each DC thinks it has no communication to the others. 
> For example, this is some of the output from DC3:
> 
> 
> 
> RepsFrom objects for CONFIGURATION
>                                                               
>                              destination
>                                                               
>                             ,--- 
> CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
> guration,DC=domain,DC=local
>                                                               
>                             |,-- 
> CN=DC4,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
> guration,DC=domain,DC=local
>                                                               
>                      source ||,- 
> CN=DC5,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
> guration,DC=domain,DC=local
> CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
> guration,DC=domain,DC=local 011
> CN=DC4,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
> guration,DC=domain,DC=local -01
> CN=DC5,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
> guration,DC=domain,DC=local -10
> 
> 
> As "samba-tool drs showrepl" does not show any errors, I am 
> not sure if replication is broken or not. But without 
> "samab-tool ldapcmp" functional, I cannot verify.
> 
> Seemingly, no one changed anything on these machines (except 
> I changed logging levels yesterday and did restart the service).
> 
> 
> Anyone have any idea where to start debugging here? My 
> Google-fu failed to find anything relevant.
> 
> 
> Mike Ray
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba