[Samba] dsdb_access Access check failed on CN=Configuration

Mike Ray mray at xes-inc.com
Wed May 22 15:29:21 UTC 2019

----- On May 22, 2019, at 10:01 AM, samba samba at lists.samba.org wrote:

> Try again with :
> samba-tool ldapcmp dc5.$(hostname -d) dc3.$(hostname -d) DNSFOREST
> As in dc5.your.dns.domain.tld ...
> Whats the result.?

The failure is still present -- no change in the output of the command:

 # samba-tool ldapcmp dc3.domain.local dc5.domain.local DNSFOREST
ERROR(ldb): uncaught exception - LDAP error 32 LDAP_NO_SUCH_OBJECT -  <dsdb_access: Access check failed on CN=Configuration,DC=domain,DC=local> <>
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line 972, in run
    outf=self.outf, errf=self.errf)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line 79, in __init__
    self.domain_netbios = self.find_netbios()
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line 115, in find_netbios
    scope=SCOPE_SUBTREE, attrs=["nETBIOSName"])

> If it fails, please tell os your:
> OS?

All 3 DCs are Ubuntu 18.04.

> Content of
> /etc/hosts

# names that resolve to me localhost.localdomain localhost dc3.domain.local dc3.otherinternaldomain.local dc3

# ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationId=*)' --cross-ncs objectguid 83c5f098-c119-44e8-b03d-762677d9ea62._msdcs.domain.local 1ad90669-7a5b-4109-aacd-ec1ab180aa88._msdcs.domain.local d93756d7-a076-4c7a-8b9a-473770a55e74._msdcs.domain.local

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

> /etc/resolv.conf

search x-es.com
nameserver # IP of another DC
nameserver # my own IP

> /etc/nsswitch.conf

passwd:         compat systemd
group:          compat systemd
shadow:         compat
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

> /etc/samba/smb.conf

        dns forwarder =
        idmap_ldb:use rfc2307 = yes
        ldap server require strong auth = no
        load printers = no
        netbios name = dc3
        ntp signd socket directory = /var/run/samba/ntp_signd
        printcap name = /dev/null
        printing = bsd
        realm = domain.local
        server role = active directory domain controller
        workgroup = domain
        #log level = 3 auth_audit:3

        path = /var/lib/samba/sysvol/x-es.com/scripts
        read only = No

        path = /var/lib/samba/sysvol
        read only = No


I should also mention that replication still appears functional at some level. I set the uidNumber of an account and then verified that all 3 DCs had that information via ldapsearch. So something is broken, but I am not sure quite what or what the impact of it is (besides the failing commands).

More information about the samba mailing list