samba - Apr 2016 - Samba 4.2 domain member fails to access files

Hi everybody, 1 of 3 mostly identical domain members gives me 
NT_STATUS_ACCESS_DENIED and I fail to debug this. But what's even 
weirder is the workaround I found by chance.

I got 4 servers, all running Debian's Samba 4.2.10. 1 is a classic NT4 
domain controller, the other 3 are joined as domain members. Their 
configuration is practically identical. The PDC uses an smbpasswd 
backend. No winbindd.

Trying to list e.g. a user's home directory (or any other dir with 
permissions 0700) works on all members but the 3rd:

  $ smbclient //member3/username -U username -W WORKGROUP
  Enter username's password: 
  Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.2.10-Debian]
  smb: \> ls
  NT_STATUS_ACCESS_DENIED listing \*
  smb: \> quit

When I open up a directory to e.g. 0777 I can create/upload a file 
which has the correct credentials, though if `create mask = 0600` the 
file cannot be read.

I raised the log level to 10 and I compared the log with one from a 
member where it works. It seems like Samba silently errors out. Also, 
NT_STATUS_ACCESS_DENIED does not show up in the log. How can I debug 
this further?

There's 1 (too?) obvious major difference: member3 (which denies 
access) is running Debian 8 with systemd. The others are still running 
Debian 7 with SysV init. But I fail to see how this could be the 
culprit.

The weird workaround is the following: I generate a pseudo smbpasswd 
on member3 e.g. with
  awk -F: '{X=":XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"}
  $3>499 {print $1":"$3 X X ":[U         
]:LCT-XXXXXXXX:"}' \
  /etc/passwd >/etc/samba/smbpasswd.pseudo

This puts my users (uid > 499) with no passwords in smbpasswd.pseudo. 
Then I add `passdb backend = smbpasswd:/etc/samba/smbpasswd.pseudo` to 
smb.conf and users can access their data just fine. Authentication is 
still done via the PDC.

Apparently, there's a problem with mapping UIDs or SID to UID, but 
why? I double-checked system settings, mount options, acl, xattr, obey 
pam restrictions. I tried `username map script = /bin/echo` and 
`username map` to no avail.

-- 
-- Andreas

   :-]

Can be you have a few wrong entries in /var/lib/samba/private/idmap.ldb. 
Look for the objectSID of the affected users and compare xid to the 
desired uid.
Also run "net cache flush" to get caching out of the way.

achim~

Am 25.04.2016 um 21:52 schrieb Andreas Schamanek:
> Hi everybody, 1 of 3 mostly identical domain members gives me
> NT_STATUS_ACCESS_DENIED and I fail to debug this. But what's even
> weirder is the workaround I found by chance.
>
> I got 4 servers, all running Debian's Samba 4.2.10. 1 is a classic NT4
> domain controller, the other 3 are joined as domain members. Their
> configuration is practically identical. The PDC uses an smbpasswd
> backend. No winbindd.
>
> Trying to list e.g. a user's home directory (or any other dir with
> permissions 0700) works on all members but the 3rd:
>
>    $ smbclient //member3/username -U username -W WORKGROUP
>    Enter username's password:
>    Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.2.10-Debian]
>    smb: \> ls
>    NT_STATUS_ACCESS_DENIED listing \*
>    smb: \> quit
>
> When I open up a directory to e.g. 0777 I can create/upload a file
> which has the correct credentials, though if `create mask = 0600` the
> file cannot be read.
>
> I raised the log level to 10 and I compared the log with one from a
> member where it works. It seems like Samba silently errors out. Also,
> NT_STATUS_ACCESS_DENIED does not show up in the log. How can I debug
> this further?
>
> There's 1 (too?) obvious major difference: member3 (which denies
> access) is running Debian 8 with systemd. The others are still running
> Debian 7 with SysV init. But I fail to see how this could be the
> culprit.
>
> The weird workaround is the following: I generate a pseudo smbpasswd
> on member3 e.g. with
>    awk -F: '{X=":XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"}
>    $3>499 {print $1":"$3 X X ":[U         
]:LCT-XXXXXXXX:"}' \
>    /etc/passwd >/etc/samba/smbpasswd.pseudo
>
> This puts my users (uid > 499) with no passwords in smbpasswd.pseudo.
> Then I add `passdb backend = smbpasswd:/etc/samba/smbpasswd.pseudo` to
> smb.conf and users can access their data just fine. Authentication is
> still done via the PDC.
>
> Apparently, there's a problem with mapping UIDs or SID to UID, but
> why? I double-checked system settings, mount options, acl, xattr, obey
> pam restrictions. I tried `username map script = /bin/echo` and
> `username map` to no avail.
>

Achim,

Thanks a big bUnch! Indeed, I forgot about the cache. I looked at the 
contents of "net cache list" which also showed some of the wrong GIDs 
and UIDs that I had seen before when trying various settings. Then I 
ran "net cache flush" and users were immediately able to access data 
again.

I didn't know the cache could create such a big confusion, though. 
Also, it still puzzles me why this did not show up in the logs.

BTW, /var/lib/samba/private/idmap.ldb does not exist. But I guess 
that's how it's supposed to be since we are not running winbind and we 
don't do mappings other than what are the defaults.

Thanks again for your help and taking the time to read my longish 
message!

-- 
-- Andreas

   :-)