[Samba] dsdb_access Access check failed on CN=Configuration
Rowland penny
rpenny at samba.org
Wed May 22 16:07:23 UTC 2019
On 22/05/2019 16:29, Mike Ray via samba wrote:
> ----- On May 22, 2019, at 10:01 AM, samba samba at lists.samba.org wrote:
>
>> Try again with :
>>
>> samba-tool ldapcmp dc5.$(hostname -d) dc3.$(hostname -d) DNSFOREST
>> As in dc5.your.dns.domain.tld ...
>>
>> Whats the result.?
> The failure is still present -- no change in the output of the command:
>
> # samba-tool ldapcmp dc3.domain.local dc5.domain.local DNSFOREST
> ERROR(ldb): uncaught exception - LDAP error 32 LDAP_NO_SUCH_OBJECT - <dsdb_access: Access check failed on CN=Configuration,DC=domain,DC=local> <>
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run
> return self.run(*args, **kwargs)
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line 972, in run
> outf=self.outf, errf=self.errf)
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line 79, in __init__
> self.domain_netbios = self.find_netbios()
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line 115, in find_netbios
> scope=SCOPE_SUBTREE, attrs=["nETBIOSName"])
try running this on each of the DC's:
ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb -b
'CN=Partitions,CN=Configuration,dc=domain,dc=local' -s sub
'(nETBIOSName=*)' nETBIOSName
It should return the domain name.
> # names that resolve to me
> 127.0.0.1 localhost.localdomain localhost
> 10.52.0.53 dc3.domain.local dc3.otherinternaldomain.local dc3
Go on, I give in, why is 'dc3.otherinternaldomain.local' where it
shouldn't be ?
>
> # ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationId=*)' --cross-ncs objectguid
> 10.52.0.53 83c5f098-c119-44e8-b03d-762677d9ea62._msdcs.domain.local
> 10.52.0.54 1ad90669-7a5b-4109-aacd-ec1ab180aa88._msdcs.domain.local
> 10.52.0.55 d93756d7-a076-4c7a-8b9a-473770a55e74._msdcs.domain.local
Is there something wrong with your dns ? there must be to have those
lines in /etc/hosts
> # The following lines are desirable for IPv6 capable hosts
> ::1 localhost ip6-localhost ip6-loopback
> fe00::0 ip6-localnet
> ff00::0 ip6-mcastprefix
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
>
>
>> /etc/resolv.conf
> search domain.local
If you are going to sanitise things do everything. (I have done it for you)
> nameserver 10.52.0.55 # IP of another DC
> nameserver 10.52.0.53 # my own IP
Switch them around.
>
>
>
>> /etc/nsswitch.conf
> passwd: compat systemd
> group: compat systemd
> shadow: compat
> gshadow: files
>
> hosts: files dns
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
>
I take it you only use the DC's for authentication
>> /etc/samba/smb.conf
> [global]
> dns forwarder = 10.52.2.101 10.52.2.102
> idmap_ldb:use rfc2307 = yes
> ldap server require strong auth = no
> load printers = no
> netbios name = dc3
> ntp signd socket directory = /var/run/samba/ntp_signd
> printcap name = /dev/null
> printing = bsd
> realm = domain.local
> server role = active directory domain controller
> workgroup = domain
> #log level = 3 auth_audit:3
>
> [netlogon]
> path = /var/lib/samba/sysvol/domain.local/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
>
> I should also mention that replication still appears functional at some level. I set the uidNumber of an account and then verified that all 3 DCs had that information via ldapsearch. So something is broken, but I am not sure quite what or what the impact of it is (besides the failing commands).
>
Rowland
More information about the samba
mailing list