[Samba] dsdb_access Access check failed on CN=Configuration
Mike Ray
mray at xes-inc.com
Wed May 22 16:29:29 UTC 2019
----- On May 22, 2019, at 11:07 AM, samba samba at lists.samba.org wrote:
> On 22/05/2019 16:29, Mike Ray via samba wrote:
>> ----- On May 22, 2019, at 10:01 AM, samba samba at lists.samba.org wrote:
>>
>>> Try again with :
>>>
>>> samba-tool ldapcmp dc5.$(hostname -d) dc3.$(hostname -d) DNSFOREST
>>> As in dc5.your.dns.domain.tld ...
>>>
>>> Whats the result.?
>> The failure is still present -- no change in the output of the command:
>>
>> # samba-tool ldapcmp dc3.domain.local dc5.domain.local DNSFOREST
>> ERROR(ldb): uncaught exception - LDAP error 32 LDAP_NO_SUCH_OBJECT -
>> <dsdb_access: Access check failed on CN=Configuration,DC=domain,DC=local> <>
>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in
>> _run
>> return self.run(*args, **kwargs)
>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line 972, in
>> run
>> outf=self.outf, errf=self.errf)
>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line 79, in
>> __init__
>> self.domain_netbios = self.find_netbios()
>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line 115, in
>> find_netbios
>> scope=SCOPE_SUBTREE, attrs=["nETBIOSName"])
>
> try running this on each of the DC's:
>
> ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb -b
> 'CN=Partitions,CN=Configuration,dc=domain,dc=local' -s sub
> '(nETBIOSName=*)' nETBIOSName
>
> It should return the domain name.
It does on all 3 DCs
>
>> # names that resolve to me
>> 127.0.0.1 localhost.localdomain localhost
>> 10.52.0.53 dc3.domain.local dc3.otherinternaldomain.local dc3
> Go on, I give in, why is 'dc3.otherinternaldomain.local' where it
> shouldn't be ?
We have two internal DNS domains. One that is associated with AD, one that is not.
'dc3.otherinternaldomain.local' was added to /etc/hosts (and a similar record on the other DCs) so that it would be able to resolve its name if a request came in that had the other domain appended.
>>
>> # ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationId=*)' --cross-ncs
>> objectguid
>> 10.52.0.53 83c5f098-c119-44e8-b03d-762677d9ea62._msdcs.domain.local
>> 10.52.0.54 1ad90669-7a5b-4109-aacd-ec1ab180aa88._msdcs.domain.local
>> 10.52.0.55 d93756d7-a076-4c7a-8b9a-473770a55e74._msdcs.domain.local
> Is there something wrong with your dns ? there must be to have those
> lines in /etc/hosts
When testing the upgrade, I could not get replication to work.
Then I stumbled upon this old mailing list post that mentioned adding these records to /etc/hosts and fixing replication errors: https://lists.samba.org/archive/samba/2014-August/184479.html
While the original poster was apparently able to get replication to work without these records, I never was and kept them.
>> # The following lines are desirable for IPv6 capable hosts
>> ::1 localhost ip6-localhost ip6-loopback
>> fe00::0 ip6-localnet
>> ff00::0 ip6-mcastprefix
>> ff02::1 ip6-allnodes
>> ff02::2 ip6-allrouters
>>
>>
>>
>>> /etc/resolv.conf
>> search domain.local
> If you are going to sanitise things do everything. (I have done it for you)
Opps. Thanks.
>> nameserver 10.52.0.55 # IP of another DC
>> nameserver 10.52.0.53 # my own IP
> Switch them around.
Switching them around did not change the output of ldapcmp.
>>
>>
>>
>>> /etc/nsswitch.conf
>> passwd: compat systemd
>> group: compat systemd
>> shadow: compat
>> gshadow: files
>>
>> hosts: files dns
>> networks: files
>>
>> protocols: db files
>> services: db files
>> ethers: db files
>> rpc: db files
>>
>> netgroup: nis
>>
> I take it you only use the DC's for authentication
Correct.
>>> /etc/samba/smb.conf
>> [global]
>> dns forwarder = 10.52.2.101 10.52.2.102
>> idmap_ldb:use rfc2307 = yes
>> ldap server require strong auth = no
>> load printers = no
>> netbios name = dc3
>> ntp signd socket directory = /var/run/samba/ntp_signd
>> printcap name = /dev/null
>> printing = bsd
>> realm = domain.local
>> server role = active directory domain controller
>> workgroup = domain
>> #log level = 3 auth_audit:3
>>
>> [netlogon]
>> path = /var/lib/samba/sysvol/domain.local/scripts
>> read only = No
>>
>> [sysvol]
>> path = /var/lib/samba/sysvol
>> read only = No
>>
>>
>> I should also mention that replication still appears functional at some level. I
>> set the uidNumber of an account and then verified that all 3 DCs had that
>> information via ldapsearch. So something is broken, but I am not sure quite
>> what or what the impact of it is (besides the failing commands).
>>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list