Jobst Schmalenbach
2015-Mar-17 05:18 UTC
[Samba] Samba working (has been for years) but logs full of NT_STATUS_ACCESS_DENIED
Hi. My samba server is working for everybody but the logs are full of "NT_STATUS_ACCESS_DENIED" messages So I turned logging a little higher and found out what shares/files are accessed when this happens. It, too, happens not to ALL users. I see this: guest user (from session setup) not permitted to access this share (TestPrograms) [2015/03/17 16:00:58.165672, 1] smbd/service.c:805(make_connection_snum) create_connection_session_info failed: NT_STATUS_ACCESS_DENIED and this: [2015/03/17 16:01:08.967945, 2] smbd/close.c:696(close_normal_file) rebecca closed file samba-homeshare/Google/Chrome/Default/TransportSecurity~RF181a7c8.TMP (numopen=294) NT_STATUS_OK [2015/03/17 16:01:09.056686, 2] smbd/service.c:616(create_connection_session_info) guest user (from session setup) not permitted to access this share (rebecca) [2015/03/17 16:01:09.056773, 1] smbd/service.c:805(make_connection_snum) create_connection_session_info failed: NT_STATUS_ACCESS_DENIED Username exist in both /etc/password and /var/lib/samba/private/smbpasswd and matching lines are in /var/lib/samba/private/smbpasswd. I have no idea why the guest user "needs" access because I (at least I thought) instructed not to, TestPrograms is an existing share and rebecca is one of our users. Relevant information from smb.conf: ... ... security = user username map = /etc/samba/smbusers log level = 2 logon path = \\DOMAINSERVER\profiles\%u logon drive = Z: logon home = \\DOMAINSERVER\%u\samba-homeshare domain logons = Yes guest account = nobody usershare allow guests = No ... ... [homes] comment = Home Directories valid users = %u writable = yes browseable = no admin users = @domadmins guest ok = no ... ... [TestPrograms] comment = "Shared Directory for Testing Programs" path = /samba/Shares/TestPrograms valid users = @domusers admin users = root read only = No create mask = 0660 force create mode = 0770 directory mask = 0770 force directory mode = 06770 guest ok = no ... ... I have no clue why this is happening. Help please. thanks Jobst -- #include <signature.h> | |0| | Jobst Schmalenbach, jobst at barrett.com.au, General Manager | | |0| Barrett Consulting Group P/L & The Meditation Room P/L |0|0|0| +61 3 9532 7677, POBox 277, Caulfield South, 3162, Australia
Marc Muehlfeld
2015-Mar-17 06:43 UTC
[Samba] Samba working (has been for years) but logs full of NT_STATUS_ACCESS_DENIED
Hello Jobst, Am 17.03.2015 um 06:18 schrieb Jobst Schmalenbach:> I see this: > > guest user (from session setup) not permitted to access this share (TestPrograms) > [2015/03/17 16:00:58.165672, 1] smbd/service.c:805(make_connection_snum) > create_connection_session_info failed: NT_STATUS_ACCESS_DENIED > > ... > > [TestPrograms] > .... > guest ok = noSeems to be correct, that Samba denies access to this share.> and this: > > [2015/03/17 16:01:08.967945, 2] smbd/close.c:696(close_normal_file) > rebecca closed file samba-homeshare/Google/Chrome/Default/TransportSecurity~RF181a7c8.TMP (numopen=294) NT_STATUS_OK > [2015/03/17 16:01:09.056686, 2] smbd/service.c:616(create_connection_session_info) > guest user (from session setup) not permitted to access this share (rebecca) > [2015/03/17 16:01:09.056773, 1] smbd/service.c:805(make_connection_snum) > create_connection_session_info failed: NT_STATUS_ACCESS_DENIED > > ... > > [homes] > comment = Home Directories > ... > guest ok = noSame here.> I have no idea why the guest user "needs" access because I (at least > I thought) instructed not to, TestPrograms is an existing share and > rebecca is one of our users.Sure that not someone else tries to access as guest? User "rebecca" closes a file in the log. So usermapping seems to work - at least for this account. And then a guest user tries to access, what is denied. * What kind of server is it? Member/DC/PDC * Can you show your full smb.conf? There are some more interesting parameters and with your snipped I can't say if it's missing (default settings) or something is wrong configured. * Do any users are having problems accessing shares? Or did you just saw some "guest denied" messages in your logs? Regards, Marc