Web lists-archives.com

Re: [Samba] dsdb_access Access check failed on CN=Configuration

On 22/05/2019 16:29, Mike Ray via samba wrote:
----- On May 22, 2019, at 10:01 AM, samba samba@xxxxxxxxxxxxxxx wrote:

Try again with :

samba-tool ldapcmp dc5.$(hostname -d) dc3.$(hostname -d) DNSFOREST
As in dc5.your.dns.domain.tld ...

Whats the result.?
The failure is still present -- no change in the output of the command:

  # samba-tool ldapcmp dc3.domain.local dc5.domain.local DNSFOREST
ERROR(ldb): uncaught exception - LDAP error 32 LDAP_NO_SUCH_OBJECT -  <dsdb_access: Access check failed on CN=Configuration,DC=domain,DC=local> <>
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line 972, in run
     outf=self.outf, errf=self.errf)
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line 79, in __init__
     self.domain_netbios = self.find_netbios()
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line 115, in find_netbios
     scope=SCOPE_SUBTREE, attrs=["nETBIOSName"])

try running this on each of the DC's:

ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb -b 'CN=Partitions,CN=Configuration,dc=domain,dc=local' -s sub '(nETBIOSName=*)' nETBIOSName

It should return the domain name.

# names that resolve to me localhost.localdomain localhost dc3.domain.local dc3.otherinternaldomain.local dc3
Go on, I give in, why is 'dc3.otherinternaldomain.local' where it shouldn't be ?

# ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationId=*)' --cross-ncs objectguid 83c5f098-c119-44e8-b03d-762677d9ea62._msdcs.domain.local 1ad90669-7a5b-4109-aacd-ec1ab180aa88._msdcs.domain.local d93756d7-a076-4c7a-8b9a-473770a55e74._msdcs.domain.local
Is there something wrong with your dns ? there must be to have those lines in /etc/hosts
# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

search domain.local
If you are going to sanitise things do everything. (I have done it for you)
nameserver # IP of another DC
nameserver # my own IP
Switch them around.

passwd:         compat systemd
group:          compat systemd
shadow:         compat
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

I take it you only use the DC's for authentication
         dns forwarder =
         idmap_ldb:use rfc2307 = yes
         ldap server require strong auth = no
         load printers = no
         netbios name = dc3
         ntp signd socket directory = /var/run/samba/ntp_signd
         printcap name = /dev/null
         printing = bsd
         realm = domain.local
         server role = active directory domain controller
         workgroup = domain
         #log level = 3 auth_audit:3

         path = /var/lib/samba/sysvol/domain.local/scripts
         read only = No

         path = /var/lib/samba/sysvol
         read only = No

I should also mention that replication still appears functional at some level. I set the uidNumber of an account and then verified that all 3 DCs had that information via ldapsearch. So something is broken, but I am not sure quite what or what the impact of it is (besides the failing commands).


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba