[Samba] dsdb_access Access check failed on CN=Configuration

Rowland penny rpenny at samba.org
Wed May 22 18:00:06 UTC 2019


On 22/05/2019 18:24, Mike Ray wrote:
> Poking around on this further, I believe the LMHOSTS error does not matter.
>
> The smb directive "name resolve order" defaults to "lmhosts wins host bcast" -- so I believe the file no found error is just because it's trying lmhosts first, not finding the file and then moving on.
>
> Eventually it hits "host" resolution and uses /etc/hosts to resolve the name.
>
> Changing the directive so that "host" is first and then re-running the command just removes the lmhosts errors; however the "ERROR(ldb): uncaught exception - LDAP error 32 LDAP_NO_SUCH_OBJECT - <dsdb_access: Access check failed ..." is still present.
>
> ----- On May 22, 2019, at 11:52 AM, Mike Ray mray at xes-inc.com wrote:
>
>> Setting the log level to 10 shows this blurp in the output of the ldapcmp
>> command:
>>
>> resolve_lmhosts: Attempting lmhosts lookup for name
>> dc3.otherinternaldomain.local<0x20>
>> startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such file
>> or directory
>> ERROR(ldb): uncaught exception - LDAP error 32 LDAP_NO_SUCH_OBJECT -
>> <dsdb_access: Access check failed on CN=Configuration,DC=domain,DC=local> <>
>>
>>
>> I can confirm that file does not exist.
>>
>> It is interesting that it is looking for the 'otherinternaldomain.local' instead
>> of just 'domain.local'.
>>
>> However, removing that entry from /etc/hosts does not change the output of the
>> command.

Your Samba AD DC's are all authoritative for the AD dns domain and they 
should only know about computers etc that are in their domain. The 
computer 'dc3.otherinternaldomain.local' is not the same computer as 
'dc3.domain.local', anything outside the 'domain.local' domain, which 
'dc3.otherinternaldomain.local' is, should be forwarded to a dns server 
outside the AD domain, but I fear this will not work in this case, 
because 'dc3.otherinternaldomain.local' probably doesn't really exist.

You have confirmed (by the ldapsearch) that the record exists, so the 
problem is possibly dns related.

You shouldn't need those GUID records in /etc/hosts, so have you read 
this wikipage:

https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record

If dns is correct, when you join a DC, all the required dns records 
should be created by samba_dnsupdate, but if the GUID record isn't 
created (and it wasn't at one time) then it fails.

Rowland





More information about the samba mailing list