Web lists-archives.com

[Samba] dsdb_access Access check failed on CN=Configuration

> > OK -- I fixed this issue.
> >
> > The fix also fixed the issue where the following ldapsearch command use to return but no longer did:
> > # ldapsearch -x -H ldap://DC -b dc=domain,dc=local "(&(gidNumber=xxxx)(!(uidNumber=*)))"
> >
> > The answer is that I needed to re-add "acl:search = no" to the smb.conf to all DCs.
> >
> > The question is why?
> >
> > I upgraded from a custom compiled Samba ~4.0 to Samba 4.9 about a little over a month ago.
> >
> > Shortly after upgrading, I noted strange behavior with seemingly high CPU/RAM usage on DCs causing logon issues. Additionally, I was seeing errors in the output of "samba-tool drs kcc <DC>". That discussion is here: https://lists.samba.org/archive/samba/2019-April/222643.html
> >
> > The first problem of high load seemed to resolve itself after we increased resources on the system and tweaked AV settings on the box.
> >
> > The second problem was resolved by off-setting CRONs so that "samba-tool drs kcc <DC>" did not run at the same time.
> >
> > However, while debugging with the list, several smb.conf edits were suggested. One suggestion was the removal of "acl:search = no". It was noted that it was a very old fix and unlikely to be needed now. However, it seems I do need it.
> >
> > Does anyone have any information on that directive? I'm having issues finding it in the man page.
> Also - why did the error take 3 weeks to show up?

I realized the time-lapse from removing the setting to problem showing is because the "search:acl" directive only takes affect when the entire service is restarted, which I did not do when I first made the configuration edit.

So the only mystery is why our setup still needs such an old configuration option.

Mike Ray

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba