[Samba] dsdb_access Access check failed on CN=Configuration

Mike Ray mray at xes-inc.com
Wed May 22 14:47:33 UTC 2019 

All-

I've got 3 DCs (version 4.9.6-12) that, prior to today, were running without issue (as best I could tell).

Every night I run a few commands to monitor the status of the DCs/domain. I run:
* dbcheck --cross-ncs
* samba-tool drs kcc <other DCs>
* samba-tool ldapcmp <local DC> <other DCs> (domain|configuration|schema|dnsdomain|dnsforest)
* samba-tool drs showrepl

These commands are run on each DC and logged.

Since upgrading to this version about a month ago, I have not seen issues since offsetting the CRONs (offsetting the run times fixed an intermittent error with the KCC command).

However, this morning, I find that the LDAPCMP command is failing on all 3 DCs.

The error is the same on all DCs and the same for domain, configuration, etc:

 # samba-tool ldapcmp dc5 DC3 DNSFOREST
ERROR(ldb): uncaught exception - LDAP error 32 LDAP_NO_SUCH_OBJECT -  <dsdb_access: Access check failed on CN=Configuration,DC=domain,DC=local> <>
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line 972, in run
    outf=self.outf, errf=self.errf)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line 79, in __init__
    self.domain_netbios = self.find_netbios()
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line 115, in find_netbios
    scope=SCOPE_SUBTREE, attrs=["nETBIOSName"])

All the other commands noted above run without issue.

I used "samba-tool visual reps" and found that for some DSAs that, each DC thinks it has no communication to the others. For example, this is some of the output from DC3:



RepsFrom objects for CONFIGURATION
                                                                                           destination
                                                                                          ,--- CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local
                                                                                          |,-- CN=DC4,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local
                                                                                   source ||,- CN=DC5,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local
CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local 011
CN=DC4,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local -01
CN=DC5,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local -10


As "samba-tool drs showrepl" does not show any errors, I am not sure if replication is broken or not. But without "samab-tool ldapcmp" functional, I cannot verify.

Seemingly, no one changed anything on these machines (except I changed logging levels yesterday and did restart the service).


Anyone have any idea where to start debugging here? My Google-fu failed to find anything relevant.


Mike Ray

More information about the samba mailing list