samba - Mar 2018 - NT_STATUS_ACCESS_DENIED listing \* on Samba AD - out of the blue

On 12/03/18 11:28, Rowland Penny via samba wrote:
> On Mon, 12 Mar 2018 11:11:44 +0000
> Sebastian Arcus via samba <samba at lists.samba.org> wrote:
> 
>> I have a Samba AD running Samba 4.7.5. Everything was working fine,
>> when, seemingly out of the blue, the users started to be denied
>> access to all shares. If I try from a Windows 7 or Windows 10
>> machine, logged in as a user in "Domain Uses", I get:
>>
>> "Windows cannot access \\server-name\share_name. You do not have
>> permission to access \\server-name\share_name"
>>
>> If I use smbclient, it allows me to login on the share, but if I do
>> 'ls', I get:
>>
>> smb: \> ls
>> NT_STATUS_ACCESS_DENIED listing \*
>>
>> I have tried the following:
>>
>> 1. The Domain admin can still access the shares - both from smbclient
>> and from Windows machines.
>>
>> 2. I have checked the acl's on the server, they look ok:
>>
>> # getfacl share_name/
>> # file: clients/
>> # owner: root
>> # group: MYDOMAIN\134domain\040users
>> user::rwx
>> group::rwx
>> group:MYDOMAIN\134domain\040users:rwx
>> mask::rwx
>> other::rwx
>> default:user::rwx
>> default:group::rwx
>> default:group:MYDOMAIN\134domain\040users:rwx
>> default:mask::rwx
>> default:other::---
>>
>> 3. "wbinfo -g" and "wbinfo -u" work correctly
>>
>> 4. Kerberos tests work correctly
>>
>> 5. There are no errors in the Bind/dns configuration
>>
>> 6. I have logged in through Windows and reset the permissions there
>> to allow "Domain Users" on the share
>>
>> 7. All my smb.conf shares look like this:
>>
>> [share_name]
>> path = /srv/samba/share_name
>> read only = No
>> inherit acls = yes
>>
>>
>> I am at a loss how "Domain Users" is denied access to the
share, when
>> everything appears to be fine. Any suggestions much appreciated!
>>
> 
> Can you post your entire smb.conf (as on disk)

Hi Rowland. Please find the smb.conf below:


# Global parameters
[global]
         netbios name = HEBU-SERVER
         realm = HEBU.LAN
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
drepl, winbindd, ntp_signd, kcc, dnsupdate
         workgroup = HEBU
         server role = active directory domain controller
         idmap_ldb:use rfc2307 = yes

         bind interfaces only = Yes
         interfaces = lo br0 tun0

log file = /var/log/samba/%m.log
#cap log file
max log size = 1000

mangling method = hash2
mangle prefix = 6
reset on zero vc = Yes
deadtime = 10

load printers = yes
rpc_server:spoolss = external
rpc_daemon:spoolssd = fork
spoolss: architecture = Windows x64

[netlogon]
	path = /var/lib/samba/sysvol/hebu.lan/scripts
         read only = No

[sysvol]
         path = /var/lib/samba/sysvol
         read only = No

[printers]
path = /var/spool/samba
printable = yes
printing = cups
cups options = raw

[print$]
path = /var/lib/samba/printers
read only = no

[admin]
path = /srv/samba/admin
read only = No
inherit acls = yes

####################################
# Recycle bin options

vfs objects = recycle
recycle:repository = Recycle.Bin
recycle:directory_mode = 0770
recycle:subdir_mode = 0770
recycle:exclude = 
*.tmp,*.temp,*.o,*.obj,~$*,*.~??,~*.*,*.TMP,*.TEMP,lock.*,.~lock.*,LOCK.*,*.lock,*.~lock,*.LNK,*.lnk,*.ldb
recycle:versions = Yes
recycle:touch_mtime = Yes
recycle:keeptree = No
recycle:minsize = 1

[clients]
path = /srv/samba/clients
read only = No
inherit acls = yes

####################################
# Recycle bin options

vfs objects = recycle
recycle:repository = Recycle.Bin
recycle:directory_mode = 0770
recycle:subdir_mode = 0770
recycle:exclude = 
*.tmp,*.temp,*.o,*.obj,~$*,*.~??,~*.*,*.TMP,*.TEMP,lock.*,.~lock.*,LOCK.*,*.lock,*.~lock,*.LNK,*.lnk,*.ldb
recycle:versions = Yes
recycle:touch_mtime = Yes
recycle:keeptree = No
recycle:minsize = 1

On Mon, 12 Mar 2018 11:36:47 +0000
Sebastian Arcus via samba <samba at lists.samba.org> wrote:
> 
> On 12/03/18 11:28, Rowland Penny via samba wrote:
> > On Mon, 12 Mar 2018 11:11:44 +0000
> > Sebastian Arcus via samba <samba at lists.samba.org> wrote:
> > 
> >> I have a Samba AD running Samba 4.7.5. Everything was working
fine,
> >> when, seemingly out of the blue, the users started to be denied
> >> access to all shares. If I try from a Windows 7 or Windows 10
> >> machine, logged in as a user in "Domain Uses", I get:
> >>
> >> "Windows cannot access \\server-name\share_name. You do not
have
> >> permission to access \\server-name\share_name"
> >>
> >> If I use smbclient, it allows me to login on the share, but if I
do
> >> 'ls', I get:
> >>
> >> smb: \> ls
> >> NT_STATUS_ACCESS_DENIED listing \*
> >>
> >> I have tried the following:
> >>
> >> 1. The Domain admin can still access the shares - both from
> >> smbclient and from Windows machines.
> >>
> >> 2. I have checked the acl's on the server, they look ok:
> >>
> >> # getfacl share_name/
> >> # file: clients/
> >> # owner: root
> >> # group: MYDOMAIN\134domain\040users
> >> user::rwx
> >> group::rwx
> >> group:MYDOMAIN\134domain\040users:rwx
> >> mask::rwx
> >> other::rwx
> >> default:user::rwx
> >> default:group::rwx
> >> default:group:MYDOMAIN\134domain\040users:rwx
> >> default:mask::rwx
> >> default:other::---
> >>
> >> 3. "wbinfo -g" and "wbinfo -u" work correctly
> >>
> >> 4. Kerberos tests work correctly
> >>
> >> 5. There are no errors in the Bind/dns configuration
> >>
> >> 6. I have logged in through Windows and reset the permissions
there
> >> to allow "Domain Users" on the share
> >>
> >> 7. All my smb.conf shares look like this:
> >>
> >> [share_name]
> >> path = /srv/samba/share_name
> >> read only = No
> >> inherit acls = yes
> >>
> >>
> >> I am at a loss how "Domain Users" is denied access to
the share,
> >> when everything appears to be fine. Any suggestions much
> >> appreciated!
> >>
> > 
> > Can you post your entire smb.conf (as on disk)
> 
> 
> Hi Rowland. Please find the smb.conf below:
> 
> 
> # Global parameters
> [global]
>          netbios name = HEBU-SERVER
>          realm = HEBU.LAN
>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>          workgroup = HEBU
>          server role = active directory domain controller
>          idmap_ldb:use rfc2307 = yes
> 
>          bind interfaces only = Yes
>          interfaces = lo br0 tun0
> 
There are few default settings there, but nothing really wrong except
for 'inherit acls = yes'. You cannot use things like this on DC, you
need to set the permissions from windows, see here:

https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Using_the_Domain_Controller_as_a_File_Server

and:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

I don't think this is your main problem though, did the problem start
after a windows update ?
I think your clients are possibly trying to connect with NTLMv2

Rowland

On 12/03/18 12:56, Rowland Penny via samba wrote:
> On Mon, 12 Mar 2018 11:36:47 +0000
> Sebastian Arcus via samba <samba at lists.samba.org> wrote:
> 
>>
>> On 12/03/18 11:28, Rowland Penny via samba wrote:
>>> On Mon, 12 Mar 2018 11:11:44 +0000
>>> Sebastian Arcus via samba <samba at lists.samba.org> wrote:
>>>
>>>> I have a Samba AD running Samba 4.7.5. Everything was working
fine,
>>>> when, seemingly out of the blue, the users started to be denied
>>>> access to all shares. If I try from a Windows 7 or Windows 10
>>>> machine, logged in as a user in "Domain Uses", I get:
>>>>
>>>> "Windows cannot access \\server-name\share_name. You do
not have
>>>> permission to access \\server-name\share_name"
>>>>
>>>> If I use smbclient, it allows me to login on the share, but if
I do
>>>> 'ls', I get:
>>>>
>>>> smb: \> ls
>>>> NT_STATUS_ACCESS_DENIED listing \*
>>>>
>>>> I have tried the following:
>>>>
>>>> 1. The Domain admin can still access the shares - both from
>>>> smbclient and from Windows machines.
>>>>
>>>> 2. I have checked the acl's on the server, they look ok:
>>>>
>>>> # getfacl share_name/
>>>> # file: clients/
>>>> # owner: root
>>>> # group: MYDOMAIN\134domain\040users
>>>> user::rwx
>>>> group::rwx
>>>> group:MYDOMAIN\134domain\040users:rwx
>>>> mask::rwx
>>>> other::rwx
>>>> default:user::rwx
>>>> default:group::rwx
>>>> default:group:MYDOMAIN\134domain\040users:rwx
>>>> default:mask::rwx
>>>> default:other::---
>>>>
>>>> 3. "wbinfo -g" and "wbinfo -u" work
correctly
>>>>
>>>> 4. Kerberos tests work correctly
>>>>
>>>> 5. There are no errors in the Bind/dns configuration
>>>>
>>>> 6. I have logged in through Windows and reset the permissions
there
>>>> to allow "Domain Users" on the share
>>>>
>>>> 7. All my smb.conf shares look like this:
>>>>
>>>> [share_name]
>>>> path = /srv/samba/share_name
>>>> read only = No
>>>> inherit acls = yes
>>>>
>>>>
>>>> I am at a loss how "Domain Users" is denied access to
the share,
>>>> when everything appears to be fine. Any suggestions much
>>>> appreciated!
>>>>
>>>
>>> Can you post your entire smb.conf (as on disk)
>>
>>
>> Hi Rowland. Please find the smb.conf below:
>>
>>
>> # Global parameters
>> [global]
>>           netbios name = HEBU-SERVER
>>           realm = HEBU.LAN
>>           server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>>           workgroup = HEBU
>>           server role = active directory domain controller
>>           idmap_ldb:use rfc2307 = yes
>>
>>           bind interfaces only = Yes
>>           interfaces = lo br0 tun0
>>
> 
> There are few default settings there, but nothing really wrong except
> for 'inherit acls = yes'. You cannot use things like this on DC,
you
> need to set the permissions from windows, see here:
I actually added 'inherit acls = yes' after the problem started, just in
case. I used the second link below to set the permissions from Windows - 
adding 'Domain Users' to the list (when logged in as the domain 
Administrator - which it let me). But I still can't access them using 
any other domain user. I just discovered that even if I add users to the 
'Domain Admins' group, they are still not allowed to access the shares.
> 
>
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Using_the_Domain_Controller_as_a_File_Server
> 
> and:
> 
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> 
> I don't think this is your main problem though, did the problem start
> after a windows update ?
> I think your clients are possibly trying to connect with NTLMv2
If that was the case, shouldn't smbclient continue to work? I can't list
the contents of the shares even using smbclient.