Web lists-archives.com

Re: [Samba] dsdb_access Access check failed on CN=Configuration

OK -- I fixed this issue.

The fix also fixed the issue where the following ldapsearch command use to return but no longer did:
# ldapsearch -x -H ldap://DC -b dc=domain,dc=local "(&(gidNumber=xxxx)(!(uidNumber=*)))"

The answer is that I needed to re-add "acl:search = no" to the smb.conf to all DCs.

The question is why?

I upgraded from a custom compiled Samba ~4.0 to Samba 4.9 about a little over a month ago.

Shortly after upgrading, I noted strange behavior with seemingly high CPU/RAM usage on DCs causing logon issues. Additionally, I was seeing errors in the output of "samba-tool drs kcc <DC>". That discussion is here: https://lists.samba.org/archive/samba/2019-April/222643.html

The first problem of high load seemed to resolve itself after we increased resources on the system and tweaked AV settings on the box.

The second problem was resolved by off-setting CRONs so that "samba-tool drs kcc <DC>" did not run at the same time.

However, while debugging with the list, several smb.conf edits were suggested. One suggestion was the removal of "acl:search = no". It was noted that it was a very old fix and unlikely to be needed now. However, it seems I do need it. 

Does anyone have any information on that directive? I'm having issues finding it in the man page.

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba