Web lists-archives.com

[Samba] dsdb_access Access check failed on CN=Configuration




> > OK -- I fixed this issue.
> >
> > The fix also fixed the issue where the following ldapsearch command use to return but no longer did:
> > # ldapsearch -x -H ldap://DC -b dc=domain,dc=local "(&(gidNumber=xxxx)(!(uidNumber=*)))"
> >
> > The answer is that I needed to re-add "acl:search = no" to the smb.conf to all DCs.
> >
> > The question is why?
> >
> > I upgraded from a custom compiled Samba ~4.0 to Samba 4.9 about a little over a month ago.
> >
> > Shortly after upgrading, I noted strange behavior with seemingly high CPU/RAM usage on DCs causing logon issues. Additionally, I was seeing errors in the output of "samba-tool drs kcc <DC>". That discussion is here: https://lists.samba.org/archive/samba/2019-April/222643.html
> >
> > The first problem of high load seemed to resolve itself after we increased resources on the system and tweaked AV settings on the box.
> >
> > The second problem was resolved by off-setting CRONs so that "samba-tool drs kcc <DC>" did not run at the same time.
> >
> > However, while debugging with the list, several smb.conf edits were suggested. One suggestion was the removal of "acl:search = no". It was noted that it was a very old fix and unlikely to be needed now. However, it seems I do need it.
> >
> > Does anyone have any information on that directive? I'm having issues finding it in the man page.
>
> Also - why did the error take 3 weeks to show up?

I realized the time-lapse from removing the setting to problem showing is because the "search:acl" directive only takes affect when the entire service is restarted, which I did not do when I first made the configuration edit.

So the only mystery is why our setup still needs such an old configuration option.


Mike Ray

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba