samba - Dec 2016 - About error: 'Windows cannot access, you do not have permission to access'

Thanks for your attention.
First, use local users at samba server, and client login success.

[global]
   workgroup = H3C ONESTOR
   server string = %h server (Samba NAS)
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 100000
   log level = 10
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   server role = standalone server
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
%n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   usershare max shares = 100
   usershare allow guests = yes
   clustering = yes
   ctdbd socket = /var/run/ctdb/ctdbd.socket
   max protocol = SMB2
   large readwrite = yes
   idmap config *:range = 1000000-1999999
   use sendfile = yes
   store dos attributes = yes
   acl_xattr:ignore system acls = yes
   aio read size = 1024
   oplocks = no
   deadtime = 10
   aio write behind = true
   socket options = TCP_NODELAY SO_RCVBUF=131072 SO_SNDBUF=131072
   vfs objects = acl_xattr
   load printers = no
   idmap config *:backend = tdb2
   security = user
   idmap config ROOT:range = 2000000-2999999
   idmap config ROOT:backend = rid
   restrict anonymous = 2

then，it changed to use LADP, and restart smbd, so that samba server close the
connection.

[global]
   workgroup = H3C ONESTOR
   server string = %h server (Samba NAS)
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size =100000
   log level = 10
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   server role = standalone server
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
%n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   usershare max shares = 100
   usershare allow guests = yes
   clustering = yes
   ctdbd socket = /var/run/ctdb/ctdbd.socket
   max protocol = SMB2
   large readwrite = yes
   idmap config *:range = 1000000-1999999
   use sendfile = yes
   store dos attributes = yes
   acl_xattr:ignore system acls = yes
   aio read size = 1024
   oplocks = no
   deadtime = 10
   aio write behind = true
   socket options = TCP_NODELAY SO_RCVBUF=131072 SO_SNDBUF=131072
   vfs objects = acl_xattr
   load printers = no
   idmap config *:backend = tdb2
   security = user
   idmap config ROOT:range = 2000000-2999999
   idmap config ROOT:backend = rid
   restrict anonymous = 2
   passdb backend = ldapsam:ldap://xxx
   ldap admin dn = "xxx"
   ldap suffix = "xxx"
   ldap delete dn = no
   ldap ssl = off

Now，clent need to re-login because server has closed the connection. Then try to
access samba and report error:' Windows cannot access, you do not have
permission to access'
I reboot client but it still report this error.

-----邮件原件-----
发件人: samba [mailto:samba-bounces at lists.samba.org] 代表 Rowland Penny via samba
发送时间: 2016年12月27日 21:59
收件人: samba at lists.samba.org
主题: Re: [Samba] About error: 'Windows cannot access, you do not have
permission to access'

On Tue, 27 Dec 2016 13:34:24 +0000
Chenyehua via samba <samba at lists.samba.org> wrote:
> HI
> I have a linux samba server and lists users at this server. and access
> the folder from the windows7 client. Now i configure a LDAP sever and
> let samba to use it . But I don’t want clients keeping the connection
> because I have changed the authentication,clinets need to re-login. So
> I restart smbd. and it works. Then,let clients reconnect to samba, but
> it report errors: Windows cannot access \\xxxxxx<file:///\\xxxxxx>
You
> do not have permission to access \\xxxxx<file:///\\xxxxx>.... From
> server’ log,  the client login with old user and password which saved
> by last time success login. But why the client can’t tell the wrong
> user or password,and it need to be re-login. From google,I know
> restart service->workstation it can be useful to re-login.but it’s not
> kind to user or client. Is there any helpful parameter in smb.comf to
> avoid the errors and client can reconnect without any operations such
> as restart workstation. Or someone can tell me why client report this
> error.
>
> Hope someone help, Thanks!
I am sorry, but I think from the little amount of info you have given, it is
virtually impossible to decide what is wrong. You will have to give us a lot
more info, lets start with the smb.conf

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
-------------------------------------------------------------------------------------------------------------------------------------
本邮件及其附件含有杭州华三通信技术有限公司的保密信息，仅限于发送给上面地址中列出
的个人或群组。禁止任何其他人以任何形式使用（包括但不限于全部或部分地泄露、复制、
或散发）本邮件中的信息。如果您错收了本邮件，请您立即电话或邮件通知发件人并删除本
邮件！
This e-mail and its attachments contain confidential information from H3C, which
is
intended only for the person or entity whose address is listed above. Any use of
the
information contained herein in any way (including, but not limited to, total or
partial
disclosure, reproduction, or dissemination) by persons other than the intended
recipient(s) is prohibited. If you receive this e-mail in error, please notify
the sender
by phone or email immediately and delete it!

Does "pdbedit -Lv" show the users?


If this is a standalone server, do you need idmap entries ?  Presumably your
ldap server also has your unix level accounts?

When you changed the backend, did you dump the users out of the local tdb
database and reimport to LDAP?   I think the smbpasswd command can be used for
some export and importing.

Did you type "smbasswd -w" to set the ldap admin password?   If you
did not, you should see an error message in a log file.

 

-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Chenyehua via
samba
Sent: Wednesday, December 28, 2016 7:55 PM
To: 'Rowland Penny' <rpenny at samba.org>
Cc: samba at lists.samba.org
Subject: [Samba] 答复: About error: 'Windows cannot access, you do not have
permission to access'

Thanks for your attention.
First, use local users at samba server, and client login success.

[global]
   workgroup = H3C ONESTOR
   server string = %h server (Samba NAS)
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 100000
   log level = 10
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   server role = standalone server
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
%n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   usershare max shares = 100
   usershare allow guests = yes
   clustering = yes
   ctdbd socket = /var/run/ctdb/ctdbd.socket
   max protocol = SMB2
   large readwrite = yes
   idmap config *:range = 1000000-1999999
   use sendfile = yes
   store dos attributes = yes
   acl_xattr:ignore system acls = yes
   aio read size = 1024
   oplocks = no
   deadtime = 10
   aio write behind = true
   socket options = TCP_NODELAY SO_RCVBUF=131072 SO_SNDBUF=131072
   vfs objects = acl_xattr
   load printers = no
   idmap config *:backend = tdb2
   security = user
   idmap config ROOT:range = 2000000-2999999
   idmap config ROOT:backend = rid
   restrict anonymous = 2

then，it changed to use LADP, and restart smbd, so that samba server close the
connection.

[global]
   workgroup = H3C ONESTOR
   server string = %h server (Samba NAS)
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size =100000
   log level = 10
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   server role = standalone server
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
%n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   usershare max shares = 100
   usershare allow guests = yes
   clustering = yes
   ctdbd socket = /var/run/ctdb/ctdbd.socket
   max protocol = SMB2
   large readwrite = yes
   idmap config *:range = 1000000-1999999
   use sendfile = yes
   store dos attributes = yes
   acl_xattr:ignore system acls = yes
   aio read size = 1024
   oplocks = no
   deadtime = 10
   aio write behind = true
   socket options = TCP_NODELAY SO_RCVBUF=131072 SO_SNDBUF=131072
   vfs objects = acl_xattr
   load printers = no
   idmap config *:backend = tdb2
   security = user
   idmap config ROOT:range = 2000000-2999999
   idmap config ROOT:backend = rid
   restrict anonymous = 2
   passdb backend = ldapsam:ldap://xxx
   ldap admin dn = "xxx"
   ldap suffix = "xxx"
   ldap delete dn = no
   ldap ssl = off

Now，clent need to re-login because server has closed the connection. Then try to
access samba and report error:' Windows cannot access, you do not have
permission to access'
I reboot client but it still report this error.

-----邮件原件-----
发件人: samba [mailto:samba-bounces at lists.samba.org] 代表 Rowland Penny via samba
发送时间: 2016年12月27日 21:59
收件人: samba at lists.samba.org
主题: Re: [Samba] About error: 'Windows cannot access, you do not have
permission to access'

On Tue, 27 Dec 2016 13:34:24 +0000
Chenyehua via samba <samba at lists.samba.org> wrote:
> HI
> I have a linux samba server and lists users at this server. and access 
> the folder from the windows7 client. Now i configure a LDAP sever and 
> let samba to use it . But I don’t want clients keeping the connection 
> because I have changed the authentication,clinets need to re-login. So 
> I restart smbd. and it works. Then,let clients reconnect to samba, but 
> it report errors: Windows cannot access \\xxxxxx<file:///\\xxxxxx>
You
> do not have permission to access \\xxxxx<file:///\\xxxxx>.... From 
> server’ log,  the client login with old user and password which saved 
> by last time success login. But why the client can’t tell the wrong 
> user or password,and it need to be re-login. From google,I know 
> restart service->workstation it can be useful to re-login.but it’s not 
> kind to user or client. Is there any helpful parameter in smb.comf to 
> avoid the errors and client can reconnect without any operations such 
> as restart workstation. Or someone can tell me why client report this 
> error.
>
> Hope someone help, Thanks!
I am sorry, but I think from the little amount of info you have given, it is
virtually impossible to decide what is wrong. You will have to give us a lot
more info, lets start with the smb.conf

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
-------------------------------------------------------------------------------------------------------------------------------------
本邮件及其附件含有杭州华三通信技术有限公司的保密信息，仅限于发送给上面地址中列出
的个人或群组。禁止任何其他人以任何形式使用（包括但不限于全部或部分地泄露、复制、
或散发）本邮件中的信息。如果您错收了本邮件，请您立即电话或邮件通知发件人并删除本
邮件！
This e-mail and its attachments contain confidential information from H3C, which
is intended only for the person or entity whose address is listed above. Any use
of the information contained herein in any way (including, but not limited to,
total or partial disclosure, reproduction, or dissemination) by persons other
than the intended
recipient(s) is prohibited. If you receive this e-mail in error, please notify
the sender by phone or email immediately and delete it!
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On Thu, 29 Dec 2016 00:54:43 +0000
Chenyehua <chen.yehua at h3c.com> wrote:
> Thanks for your attention.
> First, use local users at samba server, and client login success.
> 
> [global]
>    workgroup = H3C ONESTOR
>    server string = %h server (Samba NAS)
>    dns proxy = no
>    log file = /var/log/samba/log.%m
>    max log size = 100000
>    log level = 10
>    syslog = 0
>    panic action = /usr/share/samba/panic-action %d
>    server role = standalone server
>    obey pam restrictions = yes
>    unix password sync = yes
>    passwd program = /usr/bin/passwd %u
>    passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
> pam password change = yes usershare max shares = 100
>    usershare allow guests = yes
>    clustering = yes
>    ctdbd socket = /var/run/ctdb/ctdbd.socket
>    max protocol = SMB2
>    large readwrite = yes
>    idmap config *:range = 1000000-1999999
>    use sendfile = yes
>    store dos attributes = yes
>    acl_xattr:ignore system acls = yes
>    aio read size = 1024
>    oplocks = no
>    deadtime = 10
>    aio write behind = true
>    socket options = TCP_NODELAY SO_RCVBUF=131072 SO_SNDBUF=131072
>    vfs objects = acl_xattr
>    load printers = no
>    idmap config *:backend = tdb2
>    security = user
>    idmap config ROOT:range = 2000000-2999999
>    idmap config ROOT:backend = rid
>    restrict anonymous = 2
> 
> then，it changed to use LADP, and restart smbd, so that samba server
> close the connection.
> 
> [global]
>    workgroup = H3C ONESTOR
>    server string = %h server (Samba NAS)
>    dns proxy = no
>    log file = /var/log/samba/log.%m
>    max log size =100000
>    log level = 10
>    syslog = 0
>    panic action = /usr/share/samba/panic-action %d
>    server role = standalone server
>    obey pam restrictions = yes
>    unix password sync = yes
>    passwd program = /usr/bin/passwd %u
>    passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
> pam password change = yes usershare max shares = 100
>    usershare allow guests = yes
>    clustering = yes
>    ctdbd socket = /var/run/ctdb/ctdbd.socket
>    max protocol = SMB2
>    large readwrite = yes
>    idmap config *:range = 1000000-1999999
>    use sendfile = yes
>    store dos attributes = yes
>    acl_xattr:ignore system acls = yes
>    aio read size = 1024
>    oplocks = no
>    deadtime = 10
>    aio write behind = true
>    socket options = TCP_NODELAY SO_RCVBUF=131072 SO_SNDBUF=131072
>    vfs objects = acl_xattr
>    load printers = no
>    idmap config *:backend = tdb2
>    security = user
>    idmap config ROOT:range = 2000000-2999999
>    idmap config ROOT:backend = rid
>    restrict anonymous = 2
>    passdb backend = ldapsam:ldap://xxx
>    ldap admin dn = "xxx"
>    ldap suffix = "xxx"
>    ldap delete dn = no
>    ldap ssl = off
> 
> Now，clent need to re-login because server has closed the connection.
> Then try to access samba and report error:' Windows cannot access,
> you do not have permission to access' I reboot client but it still
> report this error.
> 
Lets start with the obvious:

Your workgroup is:

   workgroup = H3C ONESTOR

But you are trying to get users for another workgroup:

   idmap config ROOT:range = 2000000-2999999
   idmap config ROOT:backend = rid

Why ??

Rowland

> 
> Lets start with the obvious:
> 
> Your workgroup is:
> 
>    workgroup = H3C ONESTOR
> 
> But you are trying to get users for another workgroup:
> 
>    idmap config ROOT:range = 2000000-2999999
>    idmap config ROOT:backend = rid
> 
> Why ??
> 
> Rowland
>
You missed..  ;-)

workgroup = H3C ONESTOR

Spaces in workgroup names is not allowed, only alphanumeric characters.
https://msdn.microsoft.com/en-us/library/dd891456.aspx
a space is NOT an alphanumeric character.

So change that to (suggesting): 
workgroup = H3C-ONESTOR

and a good thing to read :
Naming conventions in Active Directory for computers, domains, sites & OUs.
https://support.microsoft.com/en-us/kb/909264

Then change these to something like 
> >    idmap config *:backend = tdb2
> >    idmap config *:range = 1000000-1999999
> >    idmap config H3C-ONESTOR:range = 2000000-2999999
> >    idmap config H3C-ONESTOR:backend = rid
Now as of this point try again. 


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
via
> samba
> Verzonden: donderdag 29 december 2016 10:43
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] About error: 'Windows cannot access, you do not
> have permission to access'
> 
> On Thu, 29 Dec 2016 00:54:43 +0000
> Chenyehua <chen.yehua at h3c.com> wrote:
> 
> > Thanks for your attention.
> > First, use local users at samba server, and client login success.
> >
> > [global]
> >    workgroup = H3C ONESTOR
> >    server string = %h server (Samba NAS)
> >    dns proxy = no
> >    log file = /var/log/samba/log.%m
> >    max log size = 100000
> >    log level = 10
> >    syslog = 0
> >    panic action = /usr/share/samba/panic-action %d
> >    server role = standalone server
> >    obey pam restrictions = yes
> >    unix password sync = yes
> >    passwd program = /usr/bin/passwd %u
> >    passwd chat = *Enter\snew\s*\spassword:* %n\n
> > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
> > pam password change = yes usershare max shares = 100
> >    usershare allow guests = yes
> >    clustering = yes
> >    ctdbd socket = /var/run/ctdb/ctdbd.socket
> >    max protocol = SMB2
> >    large readwrite = yes
> >    idmap config *:range = 1000000-1999999
> >    use sendfile = yes
> >    store dos attributes = yes
> >    acl_xattr:ignore system acls = yes
> >    aio read size = 1024
> >    oplocks = no
> >    deadtime = 10
> >    aio write behind = true
> >    socket options = TCP_NODELAY SO_RCVBUF=131072 SO_SNDBUF=131072
> >    vfs objects = acl_xattr
> >    load printers = no
> >    idmap config *:backend = tdb2
> >    security = user
> >    idmap config ROOT:range = 2000000-2999999
> >    idmap config ROOT:backend = rid
> >    restrict anonymous = 2
> >
> > then???it changed to use LADP, and restart smbd, so that samba server
> > close the connection.
> >
> > [global]
> >    workgroup = H3C ONESTOR
> >    server string = %h server (Samba NAS)
> >    dns proxy = no
> >    log file = /var/log/samba/log.%m
> >    max log size =100000
> >    log level = 10
> >    syslog = 0
> >    panic action = /usr/share/samba/panic-action %d
> >    server role = standalone server
> >    obey pam restrictions = yes
> >    unix password sync = yes
> >    passwd program = /usr/bin/passwd %u
> >    passwd chat = *Enter\snew\s*\spassword:* %n\n
> > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
> > pam password change = yes usershare max shares = 100
> >    usershare allow guests = yes
> >    clustering = yes
> >    ctdbd socket = /var/run/ctdb/ctdbd.socket
> >    max protocol = SMB2
> >    large readwrite = yes
> >    idmap config *:range = 1000000-1999999
> >    use sendfile = yes
> >    store dos attributes = yes
> >    acl_xattr:ignore system acls = yes
> >    aio read size = 1024
> >    oplocks = no
> >    deadtime = 10
> >    aio write behind = true
> >    socket options = TCP_NODELAY SO_RCVBUF=131072 SO_SNDBUF=131072
> >    vfs objects = acl_xattr
> >    load printers = no
> >    idmap config *:backend = tdb2
> >    security = user
> >    idmap config ROOT:range = 2000000-2999999
> >    idmap config ROOT:backend = rid
> >    restrict anonymous = 2
> >    passdb backend = ldapsam:ldap://xxx
> >    ldap admin dn = "xxx"
> >    ldap suffix = "xxx"
> >    ldap delete dn = no
> >    ldap ssl = off
> >
> > Now???clent need to re-login because server has closed the connection.
> > Then try to access samba and report error:' Windows cannot access,
> > you do not have permission to access' I reboot client but it still
> > report this error.
> >
> 
> Lets start with the obvious:
> 
> Your workgroup is:
> 
>    workgroup = H3C ONESTOR
> 
> But you are trying to get users for another workgroup:
> 
>    idmap config ROOT:range = 2000000-2999999
>    idmap config ROOT:backend = rid
> 
> Why ??
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On Fri, 30 Dec 2016 09:31:20 +0100
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> > 
> > Lets start with the obvious:
> > 
> > Your workgroup is:
> > 
> >    workgroup = H3C ONESTOR
> > 
> > But you are trying to get users for another workgroup:
> > 
> >    idmap config ROOT:range = 2000000-2999999
> >    idmap config ROOT:backend = rid
> > 
> > Why ??
> > 
> > Rowland
> >
> 
> You missed..  ;-)
> 
> workgroup = H3C ONESTOR
Quite correct, whilst you could have spaces in a 'workgroup' name, you
cannot have spaces in an AD domain 'workgroup' name.
However, I was trying to highlight that the OP was using two workgroup
names.

Rowland

> whilst you could have spaces in a 'workgroup' name  
No, becarefull with mixing "NetBios nameing"  and AD ( DNS Nameing ) 
These are 2 completed different things.

Greetz,

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
via
> samba
> Verzonden: vrijdag 30 december 2016 11:38
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] About error: 'Windows cannot access, you do not
> have permission to access'
> 
> On Fri, 30 Dec 2016 09:31:20 +0100
> "L.P.H. van Belle via samba" <samba at lists.samba.org>
wrote:
> 
> > >
> > > Lets start with the obvious:
> > >
> > > Your workgroup is:
> > >
> > >    workgroup = H3C ONESTOR
> > >
> > > But you are trying to get users for another workgroup:
> > >
> > >    idmap config ROOT:range = 2000000-2999999
> > >    idmap config ROOT:backend = rid
> > >
> > > Why ??
> > >
> > > Rowland
> > >
> >
> > You missed..  ;-)
> >
> > workgroup = H3C ONESTOR
> 
> Quite correct, whilst you could have spaces in a 'workgroup' name,
you
> cannot have spaces in an AD domain 'workgroup' name.
> However, I was trying to highlight that the OP was using two workgroup
> names.
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba