[Samba] dsdb_access Access check failed on CN=Configuration
L.P.H. van Belle
belle at bazuin.nl
Wed May 22 15:01:00 UTC 2019
Try again with :
samba-tool ldapcmp dc5.$(hostname -d) dc3.$(hostname -d) DNSFOREST
As in dc5.your.dns.domain.tld ...
Whats the result.?
If it fails, please tell os your:
OS?
Content of
/etc/hosts
/etc/resolv.conf
/etc/nsswitch.conf
/etc/samba/smb.conf
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mike
> Ray via samba
> Verzonden: woensdag 22 mei 2019 16:48
> Aan: samba
> Onderwerp: [Samba] dsdb_access Access check failed on CN=Configuration
>
> All-
>
> I've got 3 DCs (version 4.9.6-12) that, prior to today, were
> running without issue (as best I could tell).
>
> Every night I run a few commands to monitor the status of the
> DCs/domain. I run:
> * dbcheck --cross-ncs
> * samba-tool drs kcc <other DCs>
> * samba-tool ldapcmp <local DC> <other DCs>
> (domain|configuration|schema|dnsdomain|dnsforest)
> * samba-tool drs showrepl
>
> These commands are run on each DC and logged.
>
> Since upgrading to this version about a month ago, I have not
> seen issues since offsetting the CRONs (offsetting the run
> times fixed an intermittent error with the KCC command).
>
> However, this morning, I find that the LDAPCMP command is
> failing on all 3 DCs.
>
> The error is the same on all DCs and the same for domain,
> configuration, etc:
>
> # samba-tool ldapcmp dc5 DC3 DNSFOREST
> ERROR(ldb): uncaught exception - LDAP error 32
> LDAP_NO_SUCH_OBJECT - <dsdb_access: Access check failed on
> CN=Configuration,DC=domain,DC=local> <>
> File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 177, in _run
> return self.run(*args, **kwargs)
> File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py",
> line 972, in run
> outf=self.outf, errf=self.errf)
> File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py",
> line 79, in __init__
> self.domain_netbios = self.find_netbios()
> File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py",
> line 115, in find_netbios
> scope=SCOPE_SUBTREE, attrs=["nETBIOSName"])
>
> All the other commands noted above run without issue.
>
> I used "samba-tool visual reps" and found that for some DSAs
> that, each DC thinks it has no communication to the others.
> For example, this is some of the output from DC3:
>
>
>
> RepsFrom objects for CONFIGURATION
>
> destination
>
> ,---
> CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
> guration,DC=domain,DC=local
>
> |,--
> CN=DC4,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
> guration,DC=domain,DC=local
>
> source ||,-
> CN=DC5,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
> guration,DC=domain,DC=local
> CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
> guration,DC=domain,DC=local 011
> CN=DC4,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
> guration,DC=domain,DC=local -01
> CN=DC5,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
> guration,DC=domain,DC=local -10
>
>
> As "samba-tool drs showrepl" does not show any errors, I am
> not sure if replication is broken or not. But without
> "samab-tool ldapcmp" functional, I cannot verify.
>
> Seemingly, no one changed anything on these machines (except
> I changed logging levels yesterday and did restart the service).
>
>
> Anyone have any idea where to start debugging here? My
> Google-fu failed to find anything relevant.
>
>
> Mike Ray
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list