Paul Griffith
2019-May-02 19:24 UTC
[Samba] NT_STATUS_ACCESS_DENIED on a directory I have permission to access
Hello, I am testing Samba 4.9.7 before we upgrade our 4.8 domain member server. I am running into a weird permission error with our test server. My home directory is NFS mounted. The problem comes from a mail directory in my home directory. I can't access it over SMB/CIFS, it gives me a permission error. From another Linux host that has our home directories NFS mounted, I can access it fine. Also, from our soon to be retired NT Domain server, I can access the directory. Home directory mounted with, mount -t cifs //xxxx.xxxx.yorku.ca/homes /tmp/1 -o user=paulg,uid=2381,gid=1000,domain=AD.ONE.EXAMPLE.CA smbd_dirptr_get_entry mask=[*] found .AndroidStudio3.1 fname=.AndroidStudio3.1 (.AndroidStudio3.1) [2019/05/02 12:28:31.276870, 3, pid=26508, effective(12508, 10513), real(12508, 0)] ../source3/smbd/smb2_server.c:3202(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[STATUS_NO_MORE_FILES] || at ../source3/smbd/smb2_query_directory.c:158 [2019/05/02 12:28:33.578220, 2, pid=26508, effective(12508, 10513), real(12508, 0)] ../source3/smbd/dosmode.c:136(unix_mode) unix_mode(mail) inheriting from . [2019/05/02 12:28:33.578305, 2, pid=26508, effective(12508, 10513), real(12508, 0)] ../source3/smbd/dosmode.c:161(unix_mode) unix_mode(mail) inherit mode 40755 [2019/05/02 12:28:36.537282, 2, pid=26508, effective(12508, 10513), real(12508, 0)] ../source3/smbd/dosmode.c:136(unix_mode) unix_mode(mail) inheriting from . [2019/05/02 12:28:36.537361, 2, pid=26508, effective(12508, 10513), real(12508, 0)] ../source3/smbd/dosmode.c:161(unix_mode) unix_mode(mail) inherit mode 40755 [2019/05/02 12:28:36.538662, 2, pid=26508, effective(12508, 10513), real(12508, 0)] ../source3/smbd/dosmode.c:136(unix_mode) unix_mode(mail) inheriting from . [2019/05/02 12:28:36.538737, 2, pid=26508, effective(12508, 10513), real(12508, 0)] ../source3/smbd/dosmode.c:161(unix_mode) unix_mode(mail) inherit mode 40755 [2019/05/02 12:28:36.538956, 3, pid=26508, effective(12508, 10513), real(12508, 0)] ../source3/smbd/smb2_server.c:3202(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_create.c:296 From Linux side of things, it looks good. Permissions are correct. jazzy 43 % ls -lad mail drwx------ 2 paulg tech 62 Sep 21 2018 mail jazzy 44 % cd mail jazzy 45 % ls -l total 0 -rw------- 1 paulg tech 0 Apr 9 13:54 Drafts -rw------- 1 paulg tech 0 Apr 9 13:54 Sent -rw------- 1 paulg tech 0 Apr 9 13:54 Templates -rw------- 1 paulg tech 0 Apr 9 13:54 Trash I am at a lost concerning this one, any pointers? Thanks Paul ---- files server ---- [global] security = ADS workgroup = ONEEXAMPLECA realm = AD.ONE.EXAMPLE.CA server string = Samba Server hostname lookups = yes # Default ID mapping configuration for local BUILTIN accounts # and groups on a domain member. The default (*) domain: # - must not overlap with any domain ID mapping configuration! # - must use a read-write-enabled back end, such as tdb. idmap config * : backend = tdb idmap config * : range = 3000-7999 # - You must set a DOMAIN backend configuration # idmap config for the ONEEXAMPLECA domain idmap config ONEEXAMPLECA : backend = rid idmap config ONEEXAMPLECA : range = 10000-999999 winbind use default domain = yes local master = No #log files debug timestamp = yes debug uid = yes debug pid = yes debug level = 3 max log size = 0 username map = /xconf/samba/usermap #ip networking max connections = 0 interfaces = 127.0.0.1 130.xx.xx.xx bind interfaces only = yes #printing load printers = no printcap name = /xconf/lprng/printcap printing = bsd print command = /xsys/bin/lpr -b -P%p %s ; rm -f %s lpq command = /xsys/bin/lpq -P%p lprm command = /xsys/bin/lprm -P%p %j use client driver = yes # Template settings for login shell and home directory template shell = /bin/bash template homedir = /eecs/home/%U # security settings guest account = nobody invalid users = root nt acl support = yes inherit permissions = yes client lanman auth = no client ntlmv2 auth = yes wide links = no unix extensions = no [homes] comment = Home Directories browseable = yes read only = no valid users = %S csc policy = disable invalid users = activ8 oplocks = no level2 oplocks = no strict locking = no posix locking = no
L.P.H. van Belle
2019-May-03 13:36 UTC
[Samba] NT_STATUS_ACCESS_DENIED on a directory I have permission to access
Hai Paul, Look at this: user=paulg,uid=2381 (from mount -t cifs //xxxx.xxxx.yorku.ca/homes /tmp/1 -o user=paulg,uid=2381,gid=1000,domain=AD.ONE.EXAMPLE.CA) Now, look at this :> idmap config * : backend = tdb > idmap config * : range = 3000-7999 > # - You must set a DOMAIN backend configuration > # idmap config for the ONEEXAMPLECA domain > idmap config ONEEXAMPLECA : backend = rid > idmap config ONEEXAMPLECA : range = 10000-999999What do you notice here. ( the hint is 2381:1000 ) and i would expect to see 10000:10000 or higher. Do you see what i mean? Your UID/GID is a local users one, not AD-DC users. Your ranges are out of sync now, and that your denied is completly correct. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Paul > Griffith via samba > Verzonden: donderdag 2 mei 2019 21:24 > Aan: samba at lists.samba.org > Onderwerp: [Samba] NT_STATUS_ACCESS_DENIED on a directory I > have permission to access > > Hello, > > I am testing Samba 4.9.7 before we upgrade our 4.8 domain > member server. > I am running into a weird permission error with our test > server. My home > directory is NFS mounted. The problem comes from a mail > directory in my > home directory. I can't access it over SMB/CIFS, it gives me a > permission error. From another Linux host that has our home > directories > NFS mounted, I can access it fine. Also, from our soon to be > retired NT > Domain server, I can access the directory. > > Home directory mounted with, > > mount -t cifs //xxxx.xxxx.yorku.ca/homes /tmp/1 -o > user=paulg,uid=2381,gid=1000,domain=AD.ONE.EXAMPLE.CA > > > smbd_dirptr_get_entry mask=[*] found .AndroidStudio3.1 > fname=.AndroidStudio3.1 (.AndroidStudio3.1) > [2019/05/02 12:28:31.276870, 3, pid=26508, effective(12508, 10513), > real(12508, 0)] > ../source3/smbd/smb2_server.c:3202(smbd_smb2_request_error_ex) > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] > status[STATUS_NO_MORE_FILES] || at > ../source3/smbd/smb2_query_directory.c:158 > [2019/05/02 12:28:33.578220, 2, pid=26508, effective(12508, 10513), > real(12508, 0)] ../source3/smbd/dosmode.c:136(unix_mode) > unix_mode(mail) inheriting from . > [2019/05/02 12:28:33.578305, 2, pid=26508, effective(12508, 10513), > real(12508, 0)] ../source3/smbd/dosmode.c:161(unix_mode) > unix_mode(mail) inherit mode 40755 > [2019/05/02 12:28:36.537282, 2, pid=26508, effective(12508, 10513), > real(12508, 0)] ../source3/smbd/dosmode.c:136(unix_mode) > unix_mode(mail) inheriting from . > [2019/05/02 12:28:36.537361, 2, pid=26508, effective(12508, 10513), > real(12508, 0)] ../source3/smbd/dosmode.c:161(unix_mode) > unix_mode(mail) inherit mode 40755 > [2019/05/02 12:28:36.538662, 2, pid=26508, effective(12508, 10513), > real(12508, 0)] ../source3/smbd/dosmode.c:136(unix_mode) > unix_mode(mail) inheriting from . > [2019/05/02 12:28:36.538737, 2, pid=26508, effective(12508, 10513), > real(12508, 0)] ../source3/smbd/dosmode.c:161(unix_mode) > unix_mode(mail) inherit mode 40755 > [2019/05/02 12:28:36.538956, 3, pid=26508, effective(12508, 10513), > real(12508, 0)] > ../source3/smbd/smb2_server.c:3202(smbd_smb2_request_error_ex) > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] > status[NT_STATUS_ACCESS_DENIED] || at > ../source3/smbd/smb2_create.c:296 > > From Linux side of things, it looks good. Permissions are correct. > > jazzy 43 % ls -lad mail > drwx------ 2 paulg tech 62 Sep 21 2018 mail > jazzy 44 % cd mail > jazzy 45 % ls -l > total 0 > -rw------- 1 paulg tech 0 Apr 9 13:54 Drafts > -rw------- 1 paulg tech 0 Apr 9 13:54 Sent > -rw------- 1 paulg tech 0 Apr 9 13:54 Templates > -rw------- 1 paulg tech 0 Apr 9 13:54 Trash > > I am at a lost concerning this one, any pointers? > > > Thanks > Paul > > ---- files server ---- > [global] > security = ADS > workgroup = ONEEXAMPLECA > realm = AD.ONE.EXAMPLE.CA > server string = Samba Server > hostname lookups = yes > > # Default ID mapping configuration for local BUILTIN accounts > # and groups on a domain member. The default (*) domain: > # - must not overlap with any domain ID mapping configuration! > # - must use a read-write-enabled back end, such as tdb. > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > # - You must set a DOMAIN backend configuration > # idmap config for the ONEEXAMPLECA domain > idmap config ONEEXAMPLECA : backend = rid > idmap config ONEEXAMPLECA : range = 10000-999999 > > winbind use default domain = yes > local master = No > > #log files > debug timestamp = yes > debug uid = yes > debug pid = yes > debug level = 3 > max log size = 0 > > username map = /xconf/samba/usermap > > #ip networking > max connections = 0 > interfaces = 127.0.0.1 130.xx.xx.xx > bind interfaces only = yes > > #printing > load printers = no > printcap name = /xconf/lprng/printcap > printing = bsd > print command = /xsys/bin/lpr -b -P%p %s ; rm -f %s > lpq command = /xsys/bin/lpq -P%p > lprm command = /xsys/bin/lprm -P%p %j > use client driver = yes > > # Template settings for login shell and home directory > template shell = /bin/bash > template homedir = /eecs/home/%U > > # security settings > guest account = nobody > invalid users = root > nt acl support = yes > inherit permissions = yes > client lanman auth = no > client ntlmv2 auth = yes > wide links = no > unix extensions = no > > [homes] > comment = Home Directories > browseable = yes > read only = no > valid users = %S > csc policy = disable > invalid users = activ8 > oplocks = no > level2 oplocks = no > strict locking = no > posix locking = no > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Rowland Penny
2019-May-03 13:53 UTC
[Samba] NT_STATUS_ACCESS_DENIED on a directory I have permission to access
On Fri, 3 May 2019 15:36:59 +0200 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> Hai Paul, > > Look at this: user=paulg,uid=2381 > (from mount -t cifs //xxxx.xxxx.yorku.ca/homes /tmp/1 -o > user=paulg,uid=2381,gid=1000,domain=AD.ONE.EXAMPLE.CA) > > Now, look at this : > > idmap config * : backend = tdb > > idmap config * : range = 3000-7999 > > # - You must set a DOMAIN backend configuration > > # idmap config for the ONEEXAMPLECA domain > > idmap config ONEEXAMPLECA : backend = rid > > idmap config ONEEXAMPLECA : range = 10000-999999 > > What do you notice here. ( the hint is 2381:1000 ) and i would expect > to see 10000:10000 or higher. Do you see what i mean? Your UID/GID is > a local users one, not AD-DC users. > > Your ranges are out of sync now, and that your denied is completly > correct. >Good catch Louis, those numbers are even outside the '*' domain, so must be a local Unix user and group and how many times do I have to say this: You cannot have local Unix users and groups in /etc/passwd & /etc/group and expect them to work on a Samba Unix domain. If the ID numbers are in AD, then the only reason would be if this is a classicupgraded domain (which I personally hate) and if so, the ranges in smb.conf will need altering to match. Rowland
Possibly Parallel Threads
- NT_STATUS_ACCESS_DENIED on a directory I have permission to access
- NT_STATUS_ACCESS_DENIED on a directory I have permission to access
- NT_STATUS_ACCESS_DENIED on a directory I have permission to access
- NT_STATUS_ACCESS_DENIED on a directory I have permission to access
- mount.cfs mount error(13): Permission denied