[Samba] dsdb_access Access check failed on CN=Configuration
Mike Ray
mray at xes-inc.com
Wed May 22 15:29:21 UTC 2019
----- On May 22, 2019, at 10:01 AM, samba samba at lists.samba.org wrote:
> Try again with :
>
> samba-tool ldapcmp dc5.$(hostname -d) dc3.$(hostname -d) DNSFOREST
> As in dc5.your.dns.domain.tld ...
>
> Whats the result.?
The failure is still present -- no change in the output of the command:
# samba-tool ldapcmp dc3.domain.local dc5.domain.local DNSFOREST
ERROR(ldb): uncaught exception - LDAP error 32 LDAP_NO_SUCH_OBJECT - <dsdb_access: Access check failed on CN=Configuration,DC=domain,DC=local> <>
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line 972, in run
outf=self.outf, errf=self.errf)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line 79, in __init__
self.domain_netbios = self.find_netbios()
File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line 115, in find_netbios
scope=SCOPE_SUBTREE, attrs=["nETBIOSName"])
> If it fails, please tell os your:
>
> OS?
All 3 DCs are Ubuntu 18.04.
> Content of
>
> /etc/hosts
# names that resolve to me
127.0.0.1 localhost.localdomain localhost
10.52.0.53 dc3.domain.local dc3.otherinternaldomain.local dc3
# ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationId=*)' --cross-ncs objectguid
10.52.0.53 83c5f098-c119-44e8-b03d-762677d9ea62._msdcs.domain.local
10.52.0.54 1ad90669-7a5b-4109-aacd-ec1ab180aa88._msdcs.domain.local
10.52.0.55 d93756d7-a076-4c7a-8b9a-473770a55e74._msdcs.domain.local
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
> /etc/resolv.conf
search x-es.com
nameserver 10.52.0.55 # IP of another DC
nameserver 10.52.0.53 # my own IP
> /etc/nsswitch.conf
passwd: compat systemd
group: compat systemd
shadow: compat
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
> /etc/samba/smb.conf
[global]
dns forwarder = 10.52.2.101 10.52.2.102
idmap_ldb:use rfc2307 = yes
ldap server require strong auth = no
load printers = no
netbios name = dc3
ntp signd socket directory = /var/run/samba/ntp_signd
printcap name = /dev/null
printing = bsd
realm = domain.local
server role = active directory domain controller
workgroup = domain
#log level = 3 auth_audit:3
[netlogon]
path = /var/lib/samba/sysvol/x-es.com/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
>
>
I should also mention that replication still appears functional at some level. I set the uidNumber of an account and then verified that all 3 DCs had that information via ldapsearch. So something is broken, but I am not sure quite what or what the impact of it is (besides the failing commands).
More information about the samba
mailing list