Sebastian Arcus
2018-Mar-12 11:36 UTC
[Samba] NT_STATUS_ACCESS_DENIED listing \* on Samba AD - out of the blue
On 12/03/18 11:28, Rowland Penny via samba wrote:> On Mon, 12 Mar 2018 11:11:44 +0000 > Sebastian Arcus via samba <samba at lists.samba.org> wrote: > >> I have a Samba AD running Samba 4.7.5. Everything was working fine, >> when, seemingly out of the blue, the users started to be denied >> access to all shares. If I try from a Windows 7 or Windows 10 >> machine, logged in as a user in "Domain Uses", I get: >> >> "Windows cannot access \\server-name\share_name. You do not have >> permission to access \\server-name\share_name" >> >> If I use smbclient, it allows me to login on the share, but if I do >> 'ls', I get: >> >> smb: \> ls >> NT_STATUS_ACCESS_DENIED listing \* >> >> I have tried the following: >> >> 1. The Domain admin can still access the shares - both from smbclient >> and from Windows machines. >> >> 2. I have checked the acl's on the server, they look ok: >> >> # getfacl share_name/ >> # file: clients/ >> # owner: root >> # group: MYDOMAIN\134domain\040users >> user::rwx >> group::rwx >> group:MYDOMAIN\134domain\040users:rwx >> mask::rwx >> other::rwx >> default:user::rwx >> default:group::rwx >> default:group:MYDOMAIN\134domain\040users:rwx >> default:mask::rwx >> default:other::--- >> >> 3. "wbinfo -g" and "wbinfo -u" work correctly >> >> 4. Kerberos tests work correctly >> >> 5. There are no errors in the Bind/dns configuration >> >> 6. I have logged in through Windows and reset the permissions there >> to allow "Domain Users" on the share >> >> 7. All my smb.conf shares look like this: >> >> [share_name] >> path = /srv/samba/share_name >> read only = No >> inherit acls = yes >> >> >> I am at a loss how "Domain Users" is denied access to the share, when >> everything appears to be fine. Any suggestions much appreciated! >> > > Can you post your entire smb.conf (as on disk)Hi Rowland. Please find the smb.conf below: # Global parameters [global] netbios name = HEBU-SERVER realm = HEBU.LAN server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = HEBU server role = active directory domain controller idmap_ldb:use rfc2307 = yes bind interfaces only = Yes interfaces = lo br0 tun0 log file = /var/log/samba/%m.log #cap log file max log size = 1000 mangling method = hash2 mangle prefix = 6 reset on zero vc = Yes deadtime = 10 load printers = yes rpc_server:spoolss = external rpc_daemon:spoolssd = fork spoolss: architecture = Windows x64 [netlogon] path = /var/lib/samba/sysvol/hebu.lan/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No [printers] path = /var/spool/samba printable = yes printing = cups cups options = raw [print$] path = /var/lib/samba/printers read only = no [admin] path = /srv/samba/admin read only = No inherit acls = yes #################################### # Recycle bin options vfs objects = recycle recycle:repository = Recycle.Bin recycle:directory_mode = 0770 recycle:subdir_mode = 0770 recycle:exclude = *.tmp,*.temp,*.o,*.obj,~$*,*.~??,~*.*,*.TMP,*.TEMP,lock.*,.~lock.*,LOCK.*,*.lock,*.~lock,*.LNK,*.lnk,*.ldb recycle:versions = Yes recycle:touch_mtime = Yes recycle:keeptree = No recycle:minsize = 1 [clients] path = /srv/samba/clients read only = No inherit acls = yes #################################### # Recycle bin options vfs objects = recycle recycle:repository = Recycle.Bin recycle:directory_mode = 0770 recycle:subdir_mode = 0770 recycle:exclude = *.tmp,*.temp,*.o,*.obj,~$*,*.~??,~*.*,*.TMP,*.TEMP,lock.*,.~lock.*,LOCK.*,*.lock,*.~lock,*.LNK,*.lnk,*.ldb recycle:versions = Yes recycle:touch_mtime = Yes recycle:keeptree = No recycle:minsize = 1
Rowland Penny
2018-Mar-12 12:56 UTC
[Samba] NT_STATUS_ACCESS_DENIED listing \* on Samba AD - out of the blue
On Mon, 12 Mar 2018 11:36:47 +0000 Sebastian Arcus via samba <samba at lists.samba.org> wrote:> > On 12/03/18 11:28, Rowland Penny via samba wrote: > > On Mon, 12 Mar 2018 11:11:44 +0000 > > Sebastian Arcus via samba <samba at lists.samba.org> wrote: > > > >> I have a Samba AD running Samba 4.7.5. Everything was working fine, > >> when, seemingly out of the blue, the users started to be denied > >> access to all shares. If I try from a Windows 7 or Windows 10 > >> machine, logged in as a user in "Domain Uses", I get: > >> > >> "Windows cannot access \\server-name\share_name. You do not have > >> permission to access \\server-name\share_name" > >> > >> If I use smbclient, it allows me to login on the share, but if I do > >> 'ls', I get: > >> > >> smb: \> ls > >> NT_STATUS_ACCESS_DENIED listing \* > >> > >> I have tried the following: > >> > >> 1. The Domain admin can still access the shares - both from > >> smbclient and from Windows machines. > >> > >> 2. I have checked the acl's on the server, they look ok: > >> > >> # getfacl share_name/ > >> # file: clients/ > >> # owner: root > >> # group: MYDOMAIN\134domain\040users > >> user::rwx > >> group::rwx > >> group:MYDOMAIN\134domain\040users:rwx > >> mask::rwx > >> other::rwx > >> default:user::rwx > >> default:group::rwx > >> default:group:MYDOMAIN\134domain\040users:rwx > >> default:mask::rwx > >> default:other::--- > >> > >> 3. "wbinfo -g" and "wbinfo -u" work correctly > >> > >> 4. Kerberos tests work correctly > >> > >> 5. There are no errors in the Bind/dns configuration > >> > >> 6. I have logged in through Windows and reset the permissions there > >> to allow "Domain Users" on the share > >> > >> 7. All my smb.conf shares look like this: > >> > >> [share_name] > >> path = /srv/samba/share_name > >> read only = No > >> inherit acls = yes > >> > >> > >> I am at a loss how "Domain Users" is denied access to the share, > >> when everything appears to be fine. Any suggestions much > >> appreciated! > >> > > > > Can you post your entire smb.conf (as on disk) > > > Hi Rowland. Please find the smb.conf below: > > > # Global parameters > [global] > netbios name = HEBU-SERVER > realm = HEBU.LAN > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate > workgroup = HEBU > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > > bind interfaces only = Yes > interfaces = lo br0 tun0 >There are few default settings there, but nothing really wrong except for 'inherit acls = yes'. You cannot use things like this on DC, you need to set the permissions from windows, see here: https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Using_the_Domain_Controller_as_a_File_Server and: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs I don't think this is your main problem though, did the problem start after a windows update ? I think your clients are possibly trying to connect with NTLMv2 Rowland
Sebastian Arcus
2018-Mar-12 13:17 UTC
[Samba] NT_STATUS_ACCESS_DENIED listing \* on Samba AD - out of the blue
On 12/03/18 12:56, Rowland Penny via samba wrote:> On Mon, 12 Mar 2018 11:36:47 +0000 > Sebastian Arcus via samba <samba at lists.samba.org> wrote: > >> >> On 12/03/18 11:28, Rowland Penny via samba wrote: >>> On Mon, 12 Mar 2018 11:11:44 +0000 >>> Sebastian Arcus via samba <samba at lists.samba.org> wrote: >>> >>>> I have a Samba AD running Samba 4.7.5. Everything was working fine, >>>> when, seemingly out of the blue, the users started to be denied >>>> access to all shares. If I try from a Windows 7 or Windows 10 >>>> machine, logged in as a user in "Domain Uses", I get: >>>> >>>> "Windows cannot access \\server-name\share_name. You do not have >>>> permission to access \\server-name\share_name" >>>> >>>> If I use smbclient, it allows me to login on the share, but if I do >>>> 'ls', I get: >>>> >>>> smb: \> ls >>>> NT_STATUS_ACCESS_DENIED listing \* >>>> >>>> I have tried the following: >>>> >>>> 1. The Domain admin can still access the shares - both from >>>> smbclient and from Windows machines. >>>> >>>> 2. I have checked the acl's on the server, they look ok: >>>> >>>> # getfacl share_name/ >>>> # file: clients/ >>>> # owner: root >>>> # group: MYDOMAIN\134domain\040users >>>> user::rwx >>>> group::rwx >>>> group:MYDOMAIN\134domain\040users:rwx >>>> mask::rwx >>>> other::rwx >>>> default:user::rwx >>>> default:group::rwx >>>> default:group:MYDOMAIN\134domain\040users:rwx >>>> default:mask::rwx >>>> default:other::--- >>>> >>>> 3. "wbinfo -g" and "wbinfo -u" work correctly >>>> >>>> 4. Kerberos tests work correctly >>>> >>>> 5. There are no errors in the Bind/dns configuration >>>> >>>> 6. I have logged in through Windows and reset the permissions there >>>> to allow "Domain Users" on the share >>>> >>>> 7. All my smb.conf shares look like this: >>>> >>>> [share_name] >>>> path = /srv/samba/share_name >>>> read only = No >>>> inherit acls = yes >>>> >>>> >>>> I am at a loss how "Domain Users" is denied access to the share, >>>> when everything appears to be fine. Any suggestions much >>>> appreciated! >>>> >>> >>> Can you post your entire smb.conf (as on disk) >> >> >> Hi Rowland. Please find the smb.conf below: >> >> >> # Global parameters >> [global] >> netbios name = HEBU-SERVER >> realm = HEBU.LAN >> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, >> drepl, winbindd, ntp_signd, kcc, dnsupdate >> workgroup = HEBU >> server role = active directory domain controller >> idmap_ldb:use rfc2307 = yes >> >> bind interfaces only = Yes >> interfaces = lo br0 tun0 >> > > There are few default settings there, but nothing really wrong except > for 'inherit acls = yes'. You cannot use things like this on DC, you > need to set the permissions from windows, see here:I actually added 'inherit acls = yes' after the problem started, just in case. I used the second link below to set the permissions from Windows - adding 'Domain Users' to the list (when logged in as the domain Administrator - which it let me). But I still can't access them using any other domain user. I just discovered that even if I add users to the 'Domain Admins' group, they are still not allowed to access the shares.> > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Using_the_Domain_Controller_as_a_File_Server > > and: > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > > I don't think this is your main problem though, did the problem start > after a windows update ? > I think your clients are possibly trying to connect with NTLMv2If that was the case, shouldn't smbclient continue to work? I can't list the contents of the shares even using smbclient.
Apparently Analagous Threads
- NT_STATUS_ACCESS_DENIED listing \* on Samba AD - out of the blue
- NT_STATUS_ACCESS_DENIED listing \* on Samba AD - out of the blue
- NT_STATUS_ACCESS_DENIED listing \* on Samba AD - out of the blue
- NT_STATUS_ACCESS_DENIED listing \* on Samba AD - out of the blue
- NT_STATUS_ACCESS_DENIED listing \* on Samba AD - out of the blue