Robert Fitzpatrick
2012-May-10 18:31 UTC
[Samba] NT_STATUS_ACCESS_DENIED on previously created files
On Ubuntu, I have upgraded to the latest LTS version, which upgraded my Samba to 3.6.3 and now getting NT_STATUS_ACCESS_DENIED when trying to remove files and folders. This server MEDIA is setup as a member server to a FreeBSD PDC called MAIL using LDAP for authentication. All been working great for a long time, now from the PDC, I try.... mail# smbclient -U robert //media/robert WARNING: The "enable privileges" option is deprecated WARNING: The "idmap backend" option is deprecated WARNING: The "idmap uid" option is deprecated WARNING: The "idmap gid" option is deprecated WARNING: The "idmap backend" option is deprecated Enter robert's password: Domain=[WEBTENT] OS=[Unix] Server=[Samba 3.6.3] smb: \> mkdir test smb: \> rmdir test NT_STATUS_ACCESS_DENIED removing remote directory file \test I know I have some work to do to get rid of the warnings, but I can login to MAIL (PDC) and other Win workstations, create and remove files with no issue. It is only when logging into this member server locally or from a remote workstation. Getting this sort of thing in the logs... [2012/05/10 14:24:33.711345, 10] smbd/posix_acls.c:3412(posix_get_nt_acl) posix_get_nt_acl: called for file test [2012/05/10 14:24:33.711404, 10] smbd/posix_acls.c:2537(canonicalise_acl) canonicalise_acl: Access ace entries before arrange : [2012/05/10 14:24:33.711447, 10] smbd/posix_acls.c:2550(canonicalise_acl) canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER ace_flags = 0x0 perms r-x [2012/05/10 14:24:33.711496, 10] smbd/posix_acls.c:2550(canonicalise_acl) canon_ace index 1. Type = allow SID = S-1-22-2-512 gid 512 (Domain Admins) SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms r-x [2012/05/10 14:24:33.713525, 10] smbd/posix_acls.c:2550(canonicalise_acl) canon_ace index 2. Type = allow SID S-1-5-21-684728786-369066487-751336906-33290 uid 16145 (robert) SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx [2012/05/10 14:24:33.715245, 10] smbd/posix_acls.c:848(print_canon_ace_list) print_canon_ace_list: canonicalise_acl: ace entries after arrange canon_ace index 0. Type = allow SID S-1-5-21-684728786-369066487-751336906-33290 uid 16145 (robert) SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx canon_ace index 1. Type = allow SID = S-1-22-2-512 gid 512 (Domain Admins) SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms r-x canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER ace_flags = 0x0 perms r-x [2012/05/10 14:24:33.718539, 10] smbd/posix_acls.c:1124(map_canon_ace_perms) map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff [2012/05/10 14:24:33.718585, 10] smbd/posix_acls.c:1124(map_canon_ace_perms) map_canon_ace_perms: Mapped (UNIX) 140 to (NT) 1200a9 [2012/05/10 14:24:33.718627, 10] smbd/posix_acls.c:1124(map_canon_ace_perms) map_canon_ace_perms: Mapped (UNIX) 140 to (NT) 1200a9 [2012/05/10 14:24:33.718676, 10] smbd/file_access.c:76(can_access_file_acl) can_access_file_acl for file test access_mask 0x10000, access_granted 0x10000 access DENIED I've googled stuff like this... https://bugzilla.samba.org/show_bug.cgi?id=7521 I even tried upgrading my PDC to the latest available, 3.6.5, but nothing seems to help. Has anyone had this issue? Thanks, Robert
Jochen Roderburg
2012-May-11 08:56 UTC
[Samba] NT_STATUS_ACCESS_DENIED on previously created files
>> On Ubuntu, I have upgraded to the latest LTS version, which upgraded my >> Samba to 3.6.3 and now getting NT_STATUS_ACCESS_DENIED when trying to >> remove files and folders.>> I even tried upgrading my PDC to the latest available, 3.6.5, but >> nothing seems to help. Has anyone had this issue?Yeah, sounds like this still unresolved issue: https://bugzilla.samba.org/show_bug.cgi?id=8414 Regards, J.Roderburg
Apparently Analagous Threads
- Modify permission not available unless group permissions are set to write.
- ACLs under windows 7 - you do not have permissions to access
- NT_STATUS_ACCESS_DENIED (I can write and read, but not replace)
- Clients can't write to group-writable files - plea for help
- [POSIX ACLs] Only ACE rules from Samba Primary Group are applied.