Mike Ray
2019-May-24 14:02 UTC
[Samba] dsdb_access Access check failed on CN=Configuration
> > OK -- I fixed this issue. > > > > The fix also fixed the issue where the following ldapsearch command use to return but no longer did: > > # ldapsearch -x -H ldap://DC -b dc=domain,dc=local "(&(gidNumber=xxxx)(!(uidNumber=*)))" > > > > The answer is that I needed to re-add "acl:search = no" to the smb.conf to all DCs. > > > > The question is why? > > > > I upgraded from a custom compiled Samba ~4.0 to Samba 4.9 about a little over a month ago. > > > > Shortly after upgrading, I noted strange behavior with seemingly high CPU/RAM usage on DCs causing logon issues. Additionally, I was seeing errors in the output of "samba-tool drs kcc <DC>". That discussion is here: https://lists.samba.org/archive/samba/2019-April/222643.html > > > > The first problem of high load seemed to resolve itself after we increased resources on the system and tweaked AV settings on the box. > > > > The second problem was resolved by off-setting CRONs so that "samba-tool drs kcc <DC>" did not run at the same time. > > > > However, while debugging with the list, several smb.conf edits were suggested. One suggestion was the removal of "acl:search = no". It was noted that it was a very old fix and unlikely to be needed now. However, it seems I do need it. > > > > Does anyone have any information on that directive? I'm having issues finding it in the man page. > > Also - why did the error take 3 weeks to show up?I realized the time-lapse from removing the setting to problem showing is because the "search:acl" directive only takes affect when the entire service is restarted, which I did not do when I first made the configuration edit. So the only mystery is why our setup still needs such an old configuration option. Mike Ray
Possibly Parallel Threads
- dsdb_access Access check failed on CN=Configuration
- dsdb_access Access check failed on CN=Configuration
- dsdb_access Access check failed on CN=Configuration
- dsdb_access Access check failed on CN=Configuration
- dsdb_access Access check failed on CN=Configuration