Mike Ray
2019-May-22 14:47 UTC
[Samba] dsdb_access Access check failed on CN=Configuration
All- I've got 3 DCs (version 4.9.6-12) that, prior to today, were running without issue (as best I could tell). Every night I run a few commands to monitor the status of the DCs/domain. I run: * dbcheck --cross-ncs * samba-tool drs kcc <other DCs> * samba-tool ldapcmp <local DC> <other DCs> (domain|configuration|schema|dnsdomain|dnsforest) * samba-tool drs showrepl These commands are run on each DC and logged. Since upgrading to this version about a month ago, I have not seen issues since offsetting the CRONs (offsetting the run times fixed an intermittent error with the KCC command). However, this morning, I find that the LDAPCMP command is failing on all 3 DCs. The error is the same on all DCs and the same for domain, configuration, etc: # samba-tool ldapcmp dc5 DC3 DNSFOREST ERROR(ldb): uncaught exception - LDAP error 32 LDAP_NO_SUCH_OBJECT - <dsdb_access: Access check failed on CN=Configuration,DC=domain,DC=local> <> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line 972, in run outf=self.outf, errf=self.errf) File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line 79, in __init__ self.domain_netbios = self.find_netbios() File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line 115, in find_netbios scope=SCOPE_SUBTREE, attrs=["nETBIOSName"]) All the other commands noted above run without issue. I used "samba-tool visual reps" and found that for some DSAs that, each DC thinks it has no communication to the others. For example, this is some of the output from DC3: RepsFrom objects for CONFIGURATION destination ,--- CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local |,-- CN=DC4,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local source ||,- CN=DC5,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local 011 CN=DC4,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local -01 CN=DC5,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local -10 As "samba-tool drs showrepl" does not show any errors, I am not sure if replication is broken or not. But without "samab-tool ldapcmp" functional, I cannot verify. Seemingly, no one changed anything on these machines (except I changed logging levels yesterday and did restart the service). Anyone have any idea where to start debugging here? My Google-fu failed to find anything relevant. Mike Ray
L.P.H. van Belle
2019-May-22 15:01 UTC
[Samba] dsdb_access Access check failed on CN=Configuration
Try again with : samba-tool ldapcmp dc5.$(hostname -d) dc3.$(hostname -d) DNSFOREST As in dc5.your.dns.domain.tld ... Whats the result.? If it fails, please tell os your: OS? Content of /etc/hosts /etc/resolv.conf /etc/nsswitch.conf /etc/samba/smb.conf> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mike > Ray via samba > Verzonden: woensdag 22 mei 2019 16:48 > Aan: samba > Onderwerp: [Samba] dsdb_access Access check failed on CN=Configuration > > All- > > I've got 3 DCs (version 4.9.6-12) that, prior to today, were > running without issue (as best I could tell). > > Every night I run a few commands to monitor the status of the > DCs/domain. I run: > * dbcheck --cross-ncs > * samba-tool drs kcc <other DCs> > * samba-tool ldapcmp <local DC> <other DCs> > (domain|configuration|schema|dnsdomain|dnsforest) > * samba-tool drs showrepl > > These commands are run on each DC and logged. > > Since upgrading to this version about a month ago, I have not > seen issues since offsetting the CRONs (offsetting the run > times fixed an intermittent error with the KCC command). > > However, this morning, I find that the LDAPCMP command is > failing on all 3 DCs. > > The error is the same on all DCs and the same for domain, > configuration, etc: > > # samba-tool ldapcmp dc5 DC3 DNSFOREST > ERROR(ldb): uncaught exception - LDAP error 32 > LDAP_NO_SUCH_OBJECT - <dsdb_access: Access check failed on > CN=Configuration,DC=domain,DC=local> <> > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 177, in _run > return self.run(*args, **kwargs) > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", > line 972, in run > outf=self.outf, errf=self.errf) > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", > line 79, in __init__ > self.domain_netbios = self.find_netbios() > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", > line 115, in find_netbios > scope=SCOPE_SUBTREE, attrs=["nETBIOSName"]) > > All the other commands noted above run without issue. > > I used "samba-tool visual reps" and found that for some DSAs > that, each DC thinks it has no communication to the others. > For example, this is some of the output from DC3: > > > > RepsFrom objects for CONFIGURATION > > destination > > ,--- > CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi > guration,DC=domain,DC=local > > |,-- > CN=DC4,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi > guration,DC=domain,DC=local > > source ||,- > CN=DC5,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi > guration,DC=domain,DC=local > CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi > guration,DC=domain,DC=local 011 > CN=DC4,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi > guration,DC=domain,DC=local -01 > CN=DC5,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi > guration,DC=domain,DC=local -10 > > > As "samba-tool drs showrepl" does not show any errors, I am > not sure if replication is broken or not. But without > "samab-tool ldapcmp" functional, I cannot verify. > > Seemingly, no one changed anything on these machines (except > I changed logging levels yesterday and did restart the service). > > > Anyone have any idea where to start debugging here? My > Google-fu failed to find anything relevant. > > > Mike Ray > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Mike Ray
2019-May-22 15:29 UTC
[Samba] dsdb_access Access check failed on CN=Configuration
----- On May 22, 2019, at 10:01 AM, samba samba at lists.samba.org wrote:> Try again with : > > samba-tool ldapcmp dc5.$(hostname -d) dc3.$(hostname -d) DNSFOREST > As in dc5.your.dns.domain.tld ... > > Whats the result.?The failure is still present -- no change in the output of the command: # samba-tool ldapcmp dc3.domain.local dc5.domain.local DNSFOREST ERROR(ldb): uncaught exception - LDAP error 32 LDAP_NO_SUCH_OBJECT - <dsdb_access: Access check failed on CN=Configuration,DC=domain,DC=local> <> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line 972, in run outf=self.outf, errf=self.errf) File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line 79, in __init__ self.domain_netbios = self.find_netbios() File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line 115, in find_netbios scope=SCOPE_SUBTREE, attrs=["nETBIOSName"])> If it fails, please tell os your: > > OS?All 3 DCs are Ubuntu 18.04.> Content of > > /etc/hosts# names that resolve to me 127.0.0.1 localhost.localdomain localhost 10.52.0.53 dc3.domain.local dc3.otherinternaldomain.local dc3 # ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationId=*)' --cross-ncs objectguid 10.52.0.53 83c5f098-c119-44e8-b03d-762677d9ea62._msdcs.domain.local 10.52.0.54 1ad90669-7a5b-4109-aacd-ec1ab180aa88._msdcs.domain.local 10.52.0.55 d93756d7-a076-4c7a-8b9a-473770a55e74._msdcs.domain.local # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters> /etc/resolv.confsearch x-es.com nameserver 10.52.0.55 # IP of another DC nameserver 10.52.0.53 # my own IP> /etc/nsswitch.confpasswd: compat systemd group: compat systemd shadow: compat gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis> /etc/samba/smb.conf[global] dns forwarder = 10.52.2.101 10.52.2.102 idmap_ldb:use rfc2307 = yes ldap server require strong auth = no load printers = no netbios name = dc3 ntp signd socket directory = /var/run/samba/ntp_signd printcap name = /dev/null printing = bsd realm = domain.local server role = active directory domain controller workgroup = domain #log level = 3 auth_audit:3 [netlogon] path = /var/lib/samba/sysvol/x-es.com/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No> >I should also mention that replication still appears functional at some level. I set the uidNumber of an account and then verified that all 3 DCs had that information via ldapsearch. So something is broken, but I am not sure quite what or what the impact of it is (besides the failing commands).