Lorenzo Milesi
2020-May-18 21:14 UTC
[Samba] Intermittent permission denied when accessing share
> trying again.here's the output. thanks! Config collected --- 2020-05-18-23:08 ----------- Hostname: fileserver DNS Domain: wdc.mydomain.it Realm: WDC.MYDOMAIN.IT FQDN: fileserver.wdc.mydomain.it ipaddress: 10.0.0.3 ----------- This computer is running Ubuntu 18.04.4 LTS x86_64 ----------- running command : ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host 2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:0c:29:7a:3c:11 brd ff:ff:ff:ff:ff:ff inet 10.0.0.3/24 brd 10.0.0.255 scope global ens160 inet6 fe80::20c:29ff:fe7a:3c11/64 scope link ----------- Checking file: /etc/hosts 127.0.0.1 localhost #127.0.1.1 fileserver 10.0.0.3 fileserver.wdc.mydomain.it fileserver 10.0.0.3 mail.mydomain.it mail # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback localhost fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ----------- Checking file: /etc/resolv.conf nameserver 10.0.0.3 search wdc.mydomain.it ----------- Kerberos SRV _kerberos._tcp.wdc.mydomain.it record(s) verified ok, sample output: Server: 10.0.0.3 Address: 10.0.0.3#53 _kerberos._tcp.wdc.mydomain.it service = 0 100 88 fileserver.wdc.mydomain.it. ----------- 'kinit Administrator' checked successfully. ----------- Samba is running as an AD DC ----------- Checking file: /etc/krb5.conf [libdefaults] default_realm = WDC.MYDOMAIN.IT dns_lookup_realm = false dns_lookup_kdc = true [realms] WDC.MYDOMAIN.IT = { default_domain = wdc.mydomain.it } [domain_realm] fileserver = WDC.MYDOMAIN.IT ----------- Checking file: /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat systemd winbind group: compat systemd winbind shadow: compat gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis ----------- Checking file: /usr/local/samba/etc/smb.conf # Global parameters [global] netbios name = FILESERVER realm = WDC.MYDOMAIN.IT server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = WDC netbios aliases = serverx3 idmap_ldb:use rfc2307 = yes #?https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC # template shell = /bin/bash template homedir = /home/%U hide unreadable = yes # I due parametri sotto abbassano il protocollo minimo di comunicazione, messi per consentire le join dei PC con XP # FIXME ANDREBBERO TOLTI APPENA NON CI SONO PIU' CLIENT XP server min protocol = NT1 client min protocol = NT1 log level = 8 [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No browseable = No [netlogon] path = /usr/local/samba/var/locks/sysvol/wdc.mydomain.it/scripts read only = No browseable = No [homes] path = /home/CONDIVISI/personali include = /usr/local/samba/etc/cestino.conf read only = No [BACHECA] path = /home/CONDIVISI/BACHECA include = /usr/local/samba/etc/cestino.conf read only = No ----------- This DC is being used as a fileserver Detected bind DLZ enabled.. Checking file: /etc/bind/named.conf // This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; ----------- Checking file: /etc/bind/named.conf.options # 2020.04.21 yetopen acl internals { 127.0.0.0/8; 10.0.0.0/24; }; # 2020.04.21 yetopen - fine options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; //======================================================================= // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //=======================================================================# dnssec-validation auto; # auth-nxdomain no; # conform to RFC1035 # 2020.04.21 yetopen https://wiki.samba.org/index.php/Setting_up_a_BIND_DNS_Server#Setting_up_the_named.conf_files listen-on-v6 { none; }; forwarders { 10.0.0.1; 208.67.222.123; }; version "Go Away 0.0.7"; notify no; empty-zones-enable no; auth-nxdomain yes; allow-transfer { none; }; dnssec-validation no; dnssec-enable no; dnssec-lookaside no; // Added Per Debian buster Bind9. // Due to : resolver: info: resolver priming query complete messages in the logs. // See: https://gitlab.isc.org/isc-projects/bind9/commit/4a827494618e776a78b413d863bc23badd14ea42 minimal-responses yes; // Add any subnets or hosts you want to allow to use this DNS server allow-query { "internals"; }; allow-query-cache { "internals"; }; // Add any subnets or hosts you want to allow to use recursive queries recursion yes; allow-recursion { "internals"; }; // https://wiki.samba.org/index.php/Dns-backend_bind // DNS dynamic updates via Kerberos (optional, but recommended) // ONE of the following lines should be enabled AFTER you provision or join a DC with bind9_dlz // or AFTER upgrading your dns from internal to bind9_dlz // Before Samba 4.9.0 // tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; // From Samba 4.9.0 ( You will need to run samba_dnsupgrade if upgrading your Samba version. ) tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; # 2020.04.21 yetopen - fine }; ----------- Checking file: /etc/bind/named.conf.local // // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918"; include "/usr/local/samba/bind-dns/named.conf"; ----------- Checking file: /etc/bind/named.conf.default-zones // prime the server with knowledge of the root servers zone "." { type hint; file "/etc/bind/db.root"; }; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; ----------- Samba DNS zone list check : 0.0.10.in-addr.arpa wdc.mydomain.it mydomain.it _msdcs.wdc.mydomain.it ----------- ----------- This is the DC with the PDC Emulator role and time is: 2020-05-18T23:09:04 ----------- Installed packages: ii acl 2.2.52-3build1 amd64 Access control list utilities ii attr 1:2.4.47-2build1 amd64 Utilities for manipulating filesystem extended attributes ii bind9 1:9.11.3+dfsg-1ubuntu1.11 amd64 Internet Domain Name Server ii bind9-host 1:9.11.3+dfsg-1ubuntu1.11 amd64 DNS lookup utility (deprecated) ii bind9utils 1:9.11.3+dfsg-1ubuntu1.11 amd64 Utilities for BIND ii krb5-config 2.6 all Configuration files for Kerberos Version 5 ii krb5-kdc 1.16-2ubuntu0.1 amd64 MIT Kerberos key server (KDC) ii krb5-locales 1.16-2ubuntu0.1 all internationalization support for MIT Kerberos ii krb5-multidev:amd64 1.16-2ubuntu0.1 amd64 development files for MIT Kerberos without Heimdal conflict ii krb5-user 1.16-2ubuntu0.1 amd64 basic programs to authenticate using MIT Kerberos ii libacl1:amd64 2.2.52-3build1 amd64 Access control list shared library ii libacl1-dev 2.2.52-3build1 amd64 Access control list static libraries and headers ii libattr1:amd64 1:2.4.47-2build1 amd64 Extended attribute shared library ii libattr1-dev:amd64 1:2.4.47-2build1 amd64 Extended attribute static libraries and headers ii libbind9-160:amd64 1:9.11.3+dfsg-1ubuntu1.11 amd64 BIND9 Shared Library used by BIND ii libgssapi-krb5-2:amd64 1.16-2ubuntu0.1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii libkrb5-26-heimdal:amd64 7.5.0+dfsg-1 amd64 Heimdal Kerberos - libraries ii libkrb5-3:amd64 1.16-2ubuntu0.1 amd64 MIT Kerberos runtime libraries ii libkrb5-dev:amd64 1.16-2ubuntu0.1 amd64 headers and development libraries for MIT Kerberos ii libkrb5support0:amd64 1.16-2ubuntu0.1 amd64 MIT Kerberos runtime libraries - Support library ii python3-attr 17.4.0-2 all Attributes without boilerplate (Python 3) ii zimbra-common-mbox-conf-attrs 8.8.15.1558767359-1.u18 amd64 Zimbra Core Mailbox Attributes Configuration ----------- -- Lorenzo Milesi - lorenzo.milesi at yetopen.it YetOpen S.r.l. - https://www.yetopen.it/ Via Salerno 18 - 23900 Lecco - ITALY - Tel +39 0341 220 205 - Fax +39 178 6070 222 Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary -------- D.Lgs. 196/2003 e GDPR 679/2016 -------- Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario. Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata. Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile. Grazie. Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information; pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible. Thank you.
Rowland penny
2020-May-18 21:34 UTC
[Samba] Intermittent permission denied when accessing share
On 18/05/2020 22:14, Lorenzo Milesi via samba wrote:>> trying again. > here's the output. > thanks! > >Just a couple of comments and I feel they could have a bearing on your problem: You have in /etc/hosts: 10.0.0.3 mail.mydomain.it mail You also have in smb.conf: netbios aliases = serverx3 The latter is easiest to deal with, replace it with a CNAME in the AD dns. The first will require a bit more configuration, you will need to create a virtual network interface and assign a different ipaddress to that, this will ensure that your DC will know what to route '10.0.0.3' to. Rowland
Lorenzo Milesi
2020-May-18 22:07 UTC
[Samba] Intermittent permission denied when accessing share
Thanks for the suggestions!> The latter is easiest to deal with, replace it with a CNAME in the AD dns.I did the CNAME, but when I remove the netbios alias I can see the shares list when accessing \\aliasname, but then I'm not allowed into any of them. I tried rebooting the client but same result, and I also don't see anything in the logs :(> The first will require a bit more configuration, you will need to create > a virtual network interface and assign a different ipaddress to that, > this will ensure that your DC will know what to route '10.0.0.3' to.I will deal with that asap. -- Lorenzo Milesi - lorenzo.milesi at yetopen.it YetOpen S.r.l. - https://www.yetopen.it/ Via Salerno 18 - 23900 Lecco - ITALY - Tel +39 0341 220 205 - Fax +39 178 6070 222 Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary -------- D.Lgs. 196/2003 e GDPR 679/2016 -------- Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario. Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata. Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile. Grazie. Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information; pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible. Thank you.
Lorenzo Milesi
2020-Jul-01 19:16 UTC
[Samba] Intermittent permission denied when accessing share
For the record, with the support of TranquilIT we added a new server for DC an "demoted" this one to fileserver only and it's working like a charm. So I suppose the "single server" solution is not viable anyomre, or at least it doesn't seem so. -- Lorenzo Milesi - lorenzo.milesi at yetopen.it YetOpen S.r.l. - https://www.yetopen.it/ Via Salerno 18 - 23900 Lecco - ITALY - Tel +39 0341 220 205 - Fax +39 178 6070 222 Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary -------- D.Lgs. 196/2003 e GDPR 679/2016 -------- Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario. Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata. Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile. Grazie. Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information; pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible. Thank you.
Rowland penny
2020-Jul-01 19:27 UTC
[Samba] Intermittent permission denied when accessing share
On 01/07/2020 20:16, Lorenzo Milesi via samba wrote:> For the record, with the support of TranquilIT we added a new server for DC an "demoted" this one to fileserver only and it's working like a charm. > > So I suppose the "single server" solution is not viable anyomre, or at least it doesn't seem so. >We have never recommended using a DC as a fileserver, it is possible, but fraught with problems. As you have found, it is better to run a DC and a separate fileserver. Rowland
Possibly Parallel Threads
- Intermittent permission denied when accessing share
- Intermittent permission denied when accessing share
- log.samba missing rotation
- Intermittent permission denied when accessing share
- Latest Ubuntu 16.04 samba upgrade breaks external ldap auth (CVE-2020-10704)