samba - May 2019 - dsdb_access Access check failed on CN=Configuration

----- On May 22, 2019, at 10:01 AM, samba samba at lists.samba.org wrote:
> Try again with :
> 
> samba-tool ldapcmp dc5.$(hostname -d) dc3.$(hostname -d) DNSFOREST
> As in dc5.your.dns.domain.tld ...
> 
> Whats the result.?
The failure is still present -- no change in the output of the command:

 # samba-tool ldapcmp dc3.domain.local dc5.domain.local DNSFOREST
ERROR(ldb): uncaught exception - LDAP error 32 LDAP_NO_SUCH_OBJECT - 
<dsdb_access: Access check failed on CN=Configuration,DC=domain,DC=local>
<>
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 177, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py",
line 972, in run
    outf=self.outf, errf=self.errf)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py",
line 79, in __init__
    self.domain_netbios = self.find_netbios()
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py",
line 115, in find_netbios
    scope=SCOPE_SUBTREE, attrs=["nETBIOSName"])

> If it fails, please tell os your:
> 
> OS?
All 3 DCs are Ubuntu 18.04.
> Content of
> 
> /etc/hosts
# names that resolve to me
127.0.0.1 localhost.localdomain localhost
10.52.0.53 dc3.domain.local dc3.otherinternaldomain.local dc3

# ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationId=*)'
--cross-ncs objectguid
10.52.0.53 83c5f098-c119-44e8-b03d-762677d9ea62._msdcs.domain.local
10.52.0.54 1ad90669-7a5b-4109-aacd-ec1ab180aa88._msdcs.domain.local
10.52.0.55 d93756d7-a076-4c7a-8b9a-473770a55e74._msdcs.domain.local

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters


> /etc/resolv.conf
search x-es.com
nameserver 10.52.0.55 # IP of another DC
nameserver 10.52.0.53 # my own IP


> /etc/nsswitch.conf
passwd:         compat systemd
group:          compat systemd
shadow:         compat
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis


> /etc/samba/smb.conf
[global]
        dns forwarder = 10.52.2.101 10.52.2.102
        idmap_ldb:use rfc2307 = yes
        ldap server require strong auth = no
        load printers = no
        netbios name = dc3
        ntp signd socket directory = /var/run/samba/ntp_signd
        printcap name = /dev/null
        printing = bsd
        realm = domain.local
        server role = active directory domain controller
        workgroup = domain
        #log level = 3 auth_audit:3

[netlogon]
        path = /var/lib/samba/sysvol/x-es.com/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No
> 
> 


I should also mention that replication still appears functional at some level. I
set the uidNumber of an account and then verified that all 3 DCs had that
information via ldapsearch. So something is broken, but I am not sure quite what
or what the impact of it is (besides the failing commands).

On 22/05/2019 16:29, Mike Ray via samba wrote:
> ----- On May 22, 2019, at 10:01 AM, samba samba at lists.samba.org wrote:
>
>> Try again with :
>>
>> samba-tool ldapcmp dc5.$(hostname -d) dc3.$(hostname -d) DNSFOREST
>> As in dc5.your.dns.domain.tld ...
>>
>> Whats the result.?
> The failure is still present -- no change in the output of the command:
>
>   # samba-tool ldapcmp dc3.domain.local dc5.domain.local DNSFOREST
> ERROR(ldb): uncaught exception - LDAP error 32 LDAP_NO_SUCH_OBJECT - 
<dsdb_access: Access check failed on CN=Configuration,DC=domain,DC=local>
<>
>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177,
in _run
>      return self.run(*args, **kwargs)
>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line 972,
in run
>      outf=self.outf, errf=self.errf)
>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line 79,
in __init__
>      self.domain_netbios = self.find_netbios()
>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line 115,
in find_netbios
>      scope=SCOPE_SUBTREE, attrs=["nETBIOSName"])
try running this on each of the DC's:

ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb -b 
'CN=Partitions,CN=Configuration,dc=domain,dc=local' -s sub 
'(nETBIOSName=*)' nETBIOSName

It should return the domain name.
> # names that resolve to me
> 127.0.0.1 localhost.localdomain localhost
> 10.52.0.53 dc3.domain.local dc3.otherinternaldomain.local dc3
Go on, I give in, why is 'dc3.otherinternaldomain.local' where it 
shouldn't be ?
>
> # ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationId=*)'
--cross-ncs objectguid
> 10.52.0.53 83c5f098-c119-44e8-b03d-762677d9ea62._msdcs.domain.local
> 10.52.0.54 1ad90669-7a5b-4109-aacd-ec1ab180aa88._msdcs.domain.local
> 10.52.0.55 d93756d7-a076-4c7a-8b9a-473770a55e74._msdcs.domain.local
Is there something wrong with your dns ? there must be to have those 
lines in /etc/hosts
> # The following lines are desirable for IPv6 capable hosts
> ::1     localhost ip6-localhost ip6-loopback
> fe00::0 ip6-localnet
> ff00::0 ip6-mcastprefix
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
>
>
>> /etc/resolv.conf
> search domain.local
If you are going to sanitise things do everything. (I have done it for
you)
> nameserver 10.52.0.55 # IP of another DC
> nameserver 10.52.0.53 # my own IP
Switch them around.
>
>
>
>> /etc/nsswitch.conf
> passwd:         compat systemd
> group:          compat systemd
> shadow:         compat
> gshadow:        files
>
> hosts:          files dns
> networks:       files
>
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
>
> netgroup:       nis
>
I take it you only use the DC's for authentication
>> /etc/samba/smb.conf
> [global]
>          dns forwarder = 10.52.2.101 10.52.2.102
>          idmap_ldb:use rfc2307 = yes
>          ldap server require strong auth = no
>          load printers = no
>          netbios name = dc3
>          ntp signd socket directory = /var/run/samba/ntp_signd
>          printcap name = /dev/null
>          printing = bsd
>          realm = domain.local
>          server role = active directory domain controller
>          workgroup = domain
>          #log level = 3 auth_audit:3
>
> [netlogon]
>          path = /var/lib/samba/sysvol/domain.local/scripts
>          read only = No
>
> [sysvol]
>          path = /var/lib/samba/sysvol
>          read only = No
>
>
> I should also mention that replication still appears functional at some
level. I set the uidNumber of an account and then verified that all 3 DCs had
that information via ldapsearch. So something is broken, but I am not sure quite
what or what the impact of it is (besides the failing commands).
>
Rowland

----- On May 22, 2019, at 11:07 AM, samba samba at lists.samba.org wrote:
> On 22/05/2019 16:29, Mike Ray via samba wrote:
>> ----- On May 22, 2019, at 10:01 AM, samba samba at lists.samba.org
wrote:
>>
>>> Try again with :
>>>
>>> samba-tool ldapcmp dc5.$(hostname -d) dc3.$(hostname -d) DNSFOREST
>>> As in dc5.your.dns.domain.tld ...
>>>
>>> Whats the result.?
>> The failure is still present -- no change in the output of the command:
>>
>>   # samba-tool ldapcmp dc3.domain.local dc5.domain.local DNSFOREST
>> ERROR(ldb): uncaught exception - LDAP error 32 LDAP_NO_SUCH_OBJECT -
>> <dsdb_access: Access check failed on
CN=Configuration,DC=domain,DC=local> <>
>>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177,
in
>>    _run
>>      return self.run(*args, **kwargs)
>>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line 972,
in
>>    run
>>      outf=self.outf, errf=self.errf)
>>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line 79,
in
>>    __init__
>>      self.domain_netbios = self.find_netbios()
>>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line 115,
in
>>    find_netbios
>>      scope=SCOPE_SUBTREE, attrs=["nETBIOSName"])
> 
> try running this on each of the DC's:
> 
> ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb -b
> 'CN=Partitions,CN=Configuration,dc=domain,dc=local' -s sub
> '(nETBIOSName=*)' nETBIOSName
> 
> It should return the domain name.
It does on all 3 DCs
> 
>> # names that resolve to me
>> 127.0.0.1 localhost.localdomain localhost
>> 10.52.0.53 dc3.domain.local dc3.otherinternaldomain.local dc3
> Go on, I give in, why is 'dc3.otherinternaldomain.local' where it
> shouldn't be ?
We have two internal DNS domains. One that is associated with AD, one that is
not.

'dc3.otherinternaldomain.local' was added to /etc/hosts (and a similar
record on the other DCs) so that it would be able to resolve its name if a
request came in that had the other domain appended.

>>
>> # ldbsearch -H /var/lib/samba/private/sam.ldb
'(invocationId=*)' --cross-ncs
>> objectguid
>> 10.52.0.53 83c5f098-c119-44e8-b03d-762677d9ea62._msdcs.domain.local
>> 10.52.0.54 1ad90669-7a5b-4109-aacd-ec1ab180aa88._msdcs.domain.local
>> 10.52.0.55 d93756d7-a076-4c7a-8b9a-473770a55e74._msdcs.domain.local
> Is there something wrong with your dns ? there must be to have those
> lines in /etc/hosts
When testing the upgrade, I could not get replication to work.

Then I stumbled upon this old mailing list post that mentioned adding these
records to /etc/hosts and fixing replication errors:
https://lists.samba.org/archive/samba/2014-August/184479.html

While the original poster was apparently able to get replication to work without
these records, I never was and kept them.

>> # The following lines are desirable for IPv6 capable hosts
>> ::1     localhost ip6-localhost ip6-loopback
>> fe00::0 ip6-localnet
>> ff00::0 ip6-mcastprefix
>> ff02::1 ip6-allnodes
>> ff02::2 ip6-allrouters
>>
>>
>>
>>> /etc/resolv.conf
>> search domain.local
> If you are going to sanitise things do everything. (I have done it for you)
Opps. Thanks.
>> nameserver 10.52.0.55 # IP of another DC
>> nameserver 10.52.0.53 # my own IP
> Switch them around.
Switching them around did not change the output of ldapcmp.

>>
>>
>>
>>> /etc/nsswitch.conf
>> passwd:         compat systemd
>> group:          compat systemd
>> shadow:         compat
>> gshadow:        files
>>
>> hosts:          files dns
>> networks:       files
>>
>> protocols:      db files
>> services:       db files
>> ethers:         db files
>> rpc:            db files
>>
>> netgroup:       nis
>>
> I take it you only use the DC's for authentication
Correct.
>>> /etc/samba/smb.conf
>> [global]
>>          dns forwarder = 10.52.2.101 10.52.2.102
>>          idmap_ldb:use rfc2307 = yes
>>          ldap server require strong auth = no
>>          load printers = no
>>          netbios name = dc3
>>          ntp signd socket directory = /var/run/samba/ntp_signd
>>          printcap name = /dev/null
>>          printing = bsd
>>          realm = domain.local
>>          server role = active directory domain controller
>>          workgroup = domain
>>          #log level = 3 auth_audit:3
>>
>> [netlogon]
>>          path = /var/lib/samba/sysvol/domain.local/scripts
>>          read only = No
>>
>> [sysvol]
>>          path = /var/lib/samba/sysvol
>>          read only = No
>>
>>
>> I should also mention that replication still appears functional at some
level. I
>> set the uidNumber of an account and then verified that all 3 DCs had
that
>> information via ldapsearch. So something is broken, but I am not sure
quite
>> what or what the impact of it is (besides the failing commands).
>>
> Rowland
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba