Sebastian Arcus
2018-Mar-12 11:11 UTC
[Samba] NT_STATUS_ACCESS_DENIED listing \* on Samba AD - out of the blue
I have a Samba AD running Samba 4.7.5. Everything was working fine, when, seemingly out of the blue, the users started to be denied access to all shares. If I try from a Windows 7 or Windows 10 machine, logged in as a user in "Domain Uses", I get: "Windows cannot access \\server-name\share_name. You do not have permission to access \\server-name\share_name" If I use smbclient, it allows me to login on the share, but if I do 'ls', I get: smb: \> ls NT_STATUS_ACCESS_DENIED listing \* I have tried the following: 1. The Domain admin can still access the shares - both from smbclient and from Windows machines. 2. I have checked the acl's on the server, they look ok: # getfacl share_name/ # file: clients/ # owner: root # group: MYDOMAIN\134domain\040users user::rwx group::rwx group:MYDOMAIN\134domain\040users:rwx mask::rwx other::rwx default:user::rwx default:group::rwx default:group:MYDOMAIN\134domain\040users:rwx default:mask::rwx default:other::--- 3. "wbinfo -g" and "wbinfo -u" work correctly 4. Kerberos tests work correctly 5. There are no errors in the Bind/dns configuration 6. I have logged in through Windows and reset the permissions there to allow "Domain Users" on the share 7. All my smb.conf shares look like this: [share_name] path = /srv/samba/share_name read only = No inherit acls = yes I am at a loss how "Domain Users" is denied access to the share, when everything appears to be fine. Any suggestions much appreciated!
Rowland Penny
2018-Mar-12 11:28 UTC
[Samba] NT_STATUS_ACCESS_DENIED listing \* on Samba AD - out of the blue
On Mon, 12 Mar 2018 11:11:44 +0000 Sebastian Arcus via samba <samba at lists.samba.org> wrote:> I have a Samba AD running Samba 4.7.5. Everything was working fine, > when, seemingly out of the blue, the users started to be denied > access to all shares. If I try from a Windows 7 or Windows 10 > machine, logged in as a user in "Domain Uses", I get: > > "Windows cannot access \\server-name\share_name. You do not have > permission to access \\server-name\share_name" > > If I use smbclient, it allows me to login on the share, but if I do > 'ls', I get: > > smb: \> ls > NT_STATUS_ACCESS_DENIED listing \* > > I have tried the following: > > 1. The Domain admin can still access the shares - both from smbclient > and from Windows machines. > > 2. I have checked the acl's on the server, they look ok: > > # getfacl share_name/ > # file: clients/ > # owner: root > # group: MYDOMAIN\134domain\040users > user::rwx > group::rwx > group:MYDOMAIN\134domain\040users:rwx > mask::rwx > other::rwx > default:user::rwx > default:group::rwx > default:group:MYDOMAIN\134domain\040users:rwx > default:mask::rwx > default:other::--- > > 3. "wbinfo -g" and "wbinfo -u" work correctly > > 4. Kerberos tests work correctly > > 5. There are no errors in the Bind/dns configuration > > 6. I have logged in through Windows and reset the permissions there > to allow "Domain Users" on the share > > 7. All my smb.conf shares look like this: > > [share_name] > path = /srv/samba/share_name > read only = No > inherit acls = yes > > > I am at a loss how "Domain Users" is denied access to the share, when > everything appears to be fine. Any suggestions much appreciated! >Can you post your entire smb.conf (as on disk) Rowland
Sebastian Arcus
2018-Mar-12 11:36 UTC
[Samba] NT_STATUS_ACCESS_DENIED listing \* on Samba AD - out of the blue
On 12/03/18 11:28, Rowland Penny via samba wrote:> On Mon, 12 Mar 2018 11:11:44 +0000 > Sebastian Arcus via samba <samba at lists.samba.org> wrote: > >> I have a Samba AD running Samba 4.7.5. Everything was working fine, >> when, seemingly out of the blue, the users started to be denied >> access to all shares. If I try from a Windows 7 or Windows 10 >> machine, logged in as a user in "Domain Uses", I get: >> >> "Windows cannot access \\server-name\share_name. You do not have >> permission to access \\server-name\share_name" >> >> If I use smbclient, it allows me to login on the share, but if I do >> 'ls', I get: >> >> smb: \> ls >> NT_STATUS_ACCESS_DENIED listing \* >> >> I have tried the following: >> >> 1. The Domain admin can still access the shares - both from smbclient >> and from Windows machines. >> >> 2. I have checked the acl's on the server, they look ok: >> >> # getfacl share_name/ >> # file: clients/ >> # owner: root >> # group: MYDOMAIN\134domain\040users >> user::rwx >> group::rwx >> group:MYDOMAIN\134domain\040users:rwx >> mask::rwx >> other::rwx >> default:user::rwx >> default:group::rwx >> default:group:MYDOMAIN\134domain\040users:rwx >> default:mask::rwx >> default:other::--- >> >> 3. "wbinfo -g" and "wbinfo -u" work correctly >> >> 4. Kerberos tests work correctly >> >> 5. There are no errors in the Bind/dns configuration >> >> 6. I have logged in through Windows and reset the permissions there >> to allow "Domain Users" on the share >> >> 7. All my smb.conf shares look like this: >> >> [share_name] >> path = /srv/samba/share_name >> read only = No >> inherit acls = yes >> >> >> I am at a loss how "Domain Users" is denied access to the share, when >> everything appears to be fine. Any suggestions much appreciated! >> > > Can you post your entire smb.conf (as on disk)Hi Rowland. Please find the smb.conf below: # Global parameters [global] netbios name = HEBU-SERVER realm = HEBU.LAN server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = HEBU server role = active directory domain controller idmap_ldb:use rfc2307 = yes bind interfaces only = Yes interfaces = lo br0 tun0 log file = /var/log/samba/%m.log #cap log file max log size = 1000 mangling method = hash2 mangle prefix = 6 reset on zero vc = Yes deadtime = 10 load printers = yes rpc_server:spoolss = external rpc_daemon:spoolssd = fork spoolss: architecture = Windows x64 [netlogon] path = /var/lib/samba/sysvol/hebu.lan/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No [printers] path = /var/spool/samba printable = yes printing = cups cups options = raw [print$] path = /var/lib/samba/printers read only = no [admin] path = /srv/samba/admin read only = No inherit acls = yes #################################### # Recycle bin options vfs objects = recycle recycle:repository = Recycle.Bin recycle:directory_mode = 0770 recycle:subdir_mode = 0770 recycle:exclude = *.tmp,*.temp,*.o,*.obj,~$*,*.~??,~*.*,*.TMP,*.TEMP,lock.*,.~lock.*,LOCK.*,*.lock,*.~lock,*.LNK,*.lnk,*.ldb recycle:versions = Yes recycle:touch_mtime = Yes recycle:keeptree = No recycle:minsize = 1 [clients] path = /srv/samba/clients read only = No inherit acls = yes #################################### # Recycle bin options vfs objects = recycle recycle:repository = Recycle.Bin recycle:directory_mode = 0770 recycle:subdir_mode = 0770 recycle:exclude = *.tmp,*.temp,*.o,*.obj,~$*,*.~??,~*.*,*.TMP,*.TEMP,lock.*,.~lock.*,LOCK.*,*.lock,*.~lock,*.LNK,*.lnk,*.ldb recycle:versions = Yes recycle:touch_mtime = Yes recycle:keeptree = No recycle:minsize = 1
Apparently Analagous Threads
- NT_STATUS_ACCESS_DENIED listing \* on Samba AD - out of the blue
- NT_STATUS_ACCESS_DENIED listing \* on Samba AD - out of the blue
- NT_STATUS_ACCESS_DENIED listing \* on Samba AD - out of the blue
- NT_STATUS_ACCESS_DENIED listing \* on Samba AD - out of the blue
- AD Member Server and 'vfs objects recycle' permission problems