Olaf Frączyk
2017-May-10 15:47 UTC
[Samba] Samba 4.6.0 - Domain admin can't list nor access shares on file server
Hello,
I have domain NAVIDOM.
There is also a fileserver that has joined the domain (both file server
and DC are samba 4.6.0).
If I try to connect as NAVIDOM\Administrator, I cannot access the file
server (from Linux and Windows):
[root at dc var]# smbclient -U Administrator -L fileserv
Enter NAVIDOM\Administrator's password:
session setup failed: NT_STATUS_ACCESS_DENIED
I can do it as a regular user:
[root at fileserv samba]# smbclient -U olaf -L fileserv
Enter NAVIDOM\olaf's password:
Sharename Type Comment
--------- ---- -------
.......
Is this normal or do I have a problem with my setup?
I have found out also, that when I try to run the "DNS" Windows tool I
get "access was denied". It worked previously - the only thing I can
think of that could cause the change was that Administrator's password
has expired. I don't know if it is related to this problem or not.
Below is a log with debug=6 on the file server when logging as
administrator:
[2017/05/10 17:16:15.823142, 6]
../source3/param/loadparm.c:2301(lp_file_list_changed)
lp_file_list_changed()
file /usr/local/samba/etc/smb.conf -> /usr/local/samba/etc/smb.conf
last mod_time: Mon Apr 10 11:07:38 2017
[2017/05/10 17:16:15.823225, 3] ../source3/smbd/oplock.c:1322(init_oplocks)
init_oplocks: initializing messages.
[2017/05/10 17:16:15.823247, 5]
../source3/lib/messages.c:448(messaging_register)
Registering messaging pointer for type 774 - private_data=0x7f23f5ec0060
[2017/05/10 17:16:15.823267, 5]
../source3/lib/messages.c:448(messaging_register)
Registering messaging pointer for type 778 - private_data=0x7f23f5ec0060
[2017/05/10 17:16:15.823284, 5]
../source3/lib/messages.c:448(messaging_register)
Registering messaging pointer for type 770 - private_data=0x7f23f5ec0060
[2017/05/10 17:16:15.823299, 5]
../source3/lib/messages.c:448(messaging_register)
Registering messaging pointer for type 787 - private_data=0x7f23f5ec0060
[2017/05/10 17:16:15.823315, 5]
../source3/lib/messages.c:448(messaging_register)
Registering messaging pointer for type 779 - private_data=0x7f23f5ec0060
[2017/05/10 17:16:15.823331, 5]
../source3/lib/messages.c:448(messaging_register)
Registering messaging pointer for type 15 - private_data=(nil)
[2017/05/10 17:16:15.823345, 5]
../source3/lib/messages.c:463(messaging_register)
Overriding messaging pointer for type 15 - private_data=(nil)
[2017/05/10 17:16:15.823380, 5]
../source3/lib/messages.c:495(messaging_deregister)
Deregistering messaging pointer for type 16 - private_data=(nil)
[2017/05/10 17:16:15.823400, 5]
../source3/lib/messages.c:448(messaging_register)
Registering messaging pointer for type 16 - private_data=0x7f23f5ec0060
[2017/05/10 17:16:15.823415, 5]
../source3/lib/messages.c:495(messaging_deregister)
Deregistering messaging pointer for type 33 - private_data=0x7f23f5eb6ff0
[2017/05/10 17:16:15.823431, 5]
../source3/lib/messages.c:448(messaging_register)
Registering messaging pointer for type 33 - private_data=0x7f23f5ec0060
[2017/05/10 17:16:15.823446, 5]
../source3/lib/messages.c:495(messaging_deregister)
Deregistering messaging pointer for type 790 - private_data=(nil)
[2017/05/10 17:16:15.823461, 5]
../source3/lib/messages.c:448(messaging_register)
Registering messaging pointer for type 790 - private_data=0x7f23f5ec0060
[2017/05/10 17:16:15.823476, 5]
../source3/lib/messages.c:495(messaging_deregister)
Deregistering messaging pointer for type 791 - private_data=(nil)
[2017/05/10 17:16:15.823491, 5]
../source3/lib/messages.c:495(messaging_deregister)
Deregistering messaging pointer for type 1 - private_data=(nil)
[2017/05/10 17:16:15.823506, 5]
../source3/lib/messages.c:448(messaging_register)
Registering messaging pointer for type 1 - private_data=(nil)
[2017/05/10 17:16:15.823658, 6] ../source3/smbd/process.c:1955(process_smb)
got message type 0x0 of len 0xbe
[2017/05/10 17:16:15.823683, 3] ../source3/smbd/process.c:1957(process_smb)
Transaction 0 of length 194 (0 toread)
[2017/05/10 17:16:15.823703, 5] ../source3/lib/util.c:171(show_msg)
[2017/05/10 17:16:15.823716, 5] ../source3/lib/util.c:181(show_msg)
size=190
smb_com=0x72
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=24
smb_flg2=51267
smb_tid=0
smb_pid=65534
smb_uid=0
smb_mid=0
smt_wct=0
smb_bcc=155
[2017/05/10 17:16:15.823771, 3]
../source3/smbd/process.c:1538(switch_message)
switch message SMBnegprot (pid 14108) conn 0x0
[2017/05/10 17:16:15.823809, 4]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2017/05/10 17:16:15.823833, 5]
../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2017/05/10 17:16:15.823852, 5]
../source3/auth/token_util.c:640(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2017/05/10 17:16:15.823890, 5]
../source3/smbd/uid.c:425(smbd_change_to_root_user)
change_to_root_user: now uid=(0,0) gid=(0,0)
[2017/05/10 17:16:15.824818, 3]
../source3/smbd/negprot.c:603(reply_negprot)
Requested protocol [PC NETWORK PROGRAM 1.0]
[2017/05/10 17:16:15.824852, 3]
../source3/smbd/negprot.c:603(reply_negprot)
Requested protocol [MICROSOFT NETWORKS 1.03]
[2017/05/10 17:16:15.824872, 3]
../source3/smbd/negprot.c:603(reply_negprot)
Requested protocol [MICROSOFT NETWORKS 3.0]
[2017/05/10 17:16:15.824890, 3]
../source3/smbd/negprot.c:603(reply_negprot)
Requested protocol [LANMAN1.0]
[2017/05/10 17:16:15.824907, 3]
../source3/smbd/negprot.c:603(reply_negprot)
Requested protocol [LM1.2X002]
[2017/05/10 17:16:15.824924, 3]
../source3/smbd/negprot.c:603(reply_negprot)
Requested protocol [DOS LANMAN2.1]
[2017/05/10 17:16:15.824940, 3]
../source3/smbd/negprot.c:603(reply_negprot)
Requested protocol [LANMAN2.1]
[2017/05/10 17:16:15.824956, 3]
../source3/smbd/negprot.c:603(reply_negprot)
Requested protocol [Samba]
[2017/05/10 17:16:15.824972, 3]
../source3/smbd/negprot.c:603(reply_negprot)
Requested protocol [NT LANMAN 1.0]
[2017/05/10 17:16:15.824989, 3]
../source3/smbd/negprot.c:603(reply_negprot)
Requested protocol [NT LM 0.12]
[2017/05/10 17:16:15.825071, 6]
../source3/param/loadparm.c:2301(lp_file_list_changed)
lp_file_list_changed()
file /usr/local/samba/etc/smb.conf -> /usr/local/samba/etc/smb.conf
last mod_time: Mon Apr 10 11:07:38 2017
[2017/05/10 17:16:15.825121, 5]
../lib/dbwrap/dbwrap.c:159(dbwrap_check_lock_order)
check lock order 2 for /usr/local/samba/var/lock/serverid.tdb
[2017/05/10 17:16:15.825151, 5]
../lib/dbwrap/dbwrap.c:127(dbwrap_lock_order_state_destructor)
release lock order 2 for /usr/local/samba/var/lock/serverid.tdb
[2017/05/10 17:16:15.825199, 6]
../source3/param/loadparm.c:2301(lp_file_list_changed)
lp_file_list_changed()
file /usr/local/samba/etc/smb.conf -> /usr/local/samba/etc/smb.conf
last mod_time: Mon Apr 10 11:07:38 2017
[2017/05/10 17:16:15.825300, 5]
../source3/auth/auth.c:477(make_auth_context_subsystem)
Making default auth method list for server role = 'domain member'
[2017/05/10 17:16:15.825331, 5]
../source3/auth/auth.c:48(smb_register_auth)
Attempting to register auth backend trustdomain
[2017/05/10 17:16:15.825356, 5]
../source3/auth/auth.c:60(smb_register_auth)
Successfully added auth method 'trustdomain'
[2017/05/10 17:16:15.825385, 5]
../source3/auth/auth.c:48(smb_register_auth)
Attempting to register auth backend ntdomain
[2017/05/10 17:16:15.825402, 5]
../source3/auth/auth.c:60(smb_register_auth)
Successfully added auth method 'ntdomain'
[2017/05/10 17:16:15.825418, 5]
../source3/auth/auth.c:48(smb_register_auth)
Attempting to register auth backend guest
[2017/05/10 17:16:15.825436, 5]
../source3/auth/auth.c:60(smb_register_auth)
Successfully added auth method 'guest'
[2017/05/10 17:16:15.825449, 5]
../source3/auth/auth.c:48(smb_register_auth)
Attempting to register auth backend sam
[2017/05/10 17:16:15.825462, 5]
../source3/auth/auth.c:60(smb_register_auth)
Successfully added auth method 'sam'
[2017/05/10 17:16:15.825475, 5]
../source3/auth/auth.c:48(smb_register_auth)
Attempting to register auth backend sam_ignoredomain
[2017/05/10 17:16:15.825496, 5]
../source3/auth/auth.c:60(smb_register_auth)
Successfully added auth method 'sam_ignoredomain'
[2017/05/10 17:16:15.825514, 5]
../source3/auth/auth.c:48(smb_register_auth)
Attempting to register auth backend winbind
[2017/05/10 17:16:15.825530, 5]
../source3/auth/auth.c:60(smb_register_auth)
Successfully added auth method 'winbind'
[2017/05/10 17:16:15.825552, 5]
../source3/auth/auth.c:48(smb_register_auth)
Attempting to register auth backend unix
[2017/05/10 17:16:15.825570, 5]
../source3/auth/auth.c:60(smb_register_auth)
Successfully added auth method 'unix'
[2017/05/10 17:16:15.825584, 5]
../source3/auth/auth.c:48(smb_register_auth)
Attempting to register auth backend wbc
[2017/05/10 17:16:15.825597, 5]
../source3/auth/auth.c:60(smb_register_auth)
Successfully added auth method 'wbc'
[2017/05/10 17:16:15.825614, 5]
../source3/auth/auth.c:48(smb_register_auth)
Attempting to register auth backend samba4
[2017/05/10 17:16:15.825631, 5]
../source3/auth/auth.c:60(smb_register_auth)
Successfully added auth method 'samba4'
[2017/05/10 17:16:15.825645, 5]
../source3/auth/auth.c:378(load_auth_module)
load_auth_module: Attempting to find an auth method to match guest
[2017/05/10 17:16:15.825661, 5]
../source3/auth/auth.c:403(load_auth_module)
load_auth_module: auth method guest has a valid init
[2017/05/10 17:16:15.825676, 5]
../source3/auth/auth.c:378(load_auth_module)
load_auth_module: Attempting to find an auth method to match sam
[2017/05/10 17:16:15.825692, 5]
../source3/auth/auth.c:403(load_auth_module)
load_auth_module: auth method sam has a valid init
[2017/05/10 17:16:15.825707, 5]
../source3/auth/auth.c:378(load_auth_module)
load_auth_module: Attempting to find an auth method to match
winbind:ntdomain
[2017/05/10 17:16:15.825722, 5]
../source3/auth/auth.c:378(load_auth_module)
load_auth_module: Attempting to find an auth method to match ntdomain
[2017/05/10 17:16:15.825738, 5]
../source3/auth/auth.c:403(load_auth_module)
load_auth_module: auth method ntdomain has a valid init
[2017/05/10 17:16:15.825753, 5]
../source3/auth/auth.c:403(load_auth_module)
load_auth_module: auth method winbind has a valid init
[2017/05/10 17:16:15.826055, 5]
../auth/gensec/gensec_start.c:681(gensec_start_mech)
Starting GENSEC mechanism spnego
[2017/05/10 17:16:15.826133, 5]
../auth/gensec/gensec_start.c:681(gensec_start_mech)
Starting GENSEC submechanism gse_krb5
[2017/05/10 17:16:16.352824, 3] ../source3/smbd/negprot.c:394(reply_nt1)
using SPNEGO
[2017/05/10 17:16:16.352862, 3]
../source3/smbd/negprot.c:730(reply_negprot)
Selected protocol NT LANMAN 1.0
[2017/05/10 17:16:16.352871, 5]
../source3/smbd/negprot.c:737(reply_negprot)
negprot index=8
[2017/05/10 17:16:16.352881, 5] ../source3/lib/util.c:171(show_msg)
[2017/05/10 17:16:16.352886, 5] ../source3/lib/util.c:181(show_msg)
size=181
smb_com=0x72
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=136
smb_flg2=51267
smb_tid=0
smb_pid=65534
smb_uid=0
smb_mid=0
smt_wct=17
smb_vwv[ 0]= 8 (0x8)
smb_vwv[ 1]=12803 (0x3203)
smb_vwv[ 2]= 256 (0x100)
smb_vwv[ 3]= 1024 (0x400)
smb_vwv[ 4]= 65 (0x41)
smb_vwv[ 5]= 0 (0x0)
smb_vwv[ 6]= 256 (0x100)
smb_vwv[ 7]= 7168 (0x1C00)
smb_vwv[ 8]= 55 (0x37)
smb_vwv[ 9]=64768 (0xFD00)
smb_vwv[10]=33011 (0x80F3)
smb_vwv[11]=62336 (0xF380)
smb_vwv[12]= 8118 (0x1FB6)
smb_vwv[13]=41054 (0xA05E)
smb_vwv[14]=53961 (0xD2C9)
smb_vwv[15]=34817 (0x8801)
smb_vwv[16]= 255 (0xFF)
smb_bcc=112
[2017/05/10 17:16:21.261826, 6] ../source3/smbd/process.c:1955(process_smb)
got message type 0x0 of len 0x64e
[2017/05/10 17:16:21.261912, 3] ../source3/smbd/process.c:1957(process_smb)
Transaction 1 of length 1618 (0 toread)
[2017/05/10 17:16:21.261937, 5] ../source3/lib/util.c:171(show_msg)
[2017/05/10 17:16:21.261953, 5] ../source3/lib/util.c:181(show_msg)
size=1614
smb_com=0x73
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=24
smb_flg2=51267
smb_tid=0
smb_pid=2614
smb_uid=0
smb_mid=1
smt_wct=12
smb_vwv[ 0]= 255 (0xFF)
smb_vwv[ 1]= 0 (0x0)
smb_vwv[ 2]=65535 (0xFFFF)
smb_vwv[ 3]= 2 (0x2)
smb_vwv[ 4]= 1 (0x1)
smb_vwv[ 5]= 0 (0x0)
smb_vwv[ 6]= 0 (0x0)
smb_vwv[ 7]= 1533 (0x5FD)
smb_vwv[ 8]= 0 (0x0)
smb_vwv[ 9]= 0 (0x0)
smb_vwv[10]=49236 (0xC054)
smb_vwv[11]=32768 (0x8000)
smb_bcc=1555
[2017/05/10 17:16:21.262116, 3]
../source3/smbd/process.c:1538(switch_message)
switch message SMBsesssetupX (pid 14108) conn 0x0
[2017/05/10 17:16:21.262150, 4]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2017/05/10 17:16:21.262173, 5]
../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2017/05/10 17:16:21.262194, 5]
../source3/auth/token_util.c:640(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2017/05/10 17:16:21.262234, 5]
../source3/smbd/uid.c:425(smbd_change_to_root_user)
change_to_root_user: now uid=(0,0) gid=(0,0)
[2017/05/10 17:16:21.262270, 3]
../source3/smbd/sesssetup.c:623(reply_sesssetup_and_X)
wct=12 flg2=0xc843
[2017/05/10 17:16:21.262301, 3]
../source3/smbd/sesssetup.c:140(reply_sesssetup_and_X_spnego)
Doing spnego session setup
[2017/05/10 17:16:21.262332, 3]
../source3/smbd/sesssetup.c:181(reply_sesssetup_and_X_spnego)
NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[]
[2017/05/10 17:16:21.262427, 5]
../lib/dbwrap/dbwrap.c:159(dbwrap_check_lock_order)
check lock order 1 for
/usr/local/samba/var/lock/smbXsrv_session_global.tdb
[2017/05/10 17:16:21.262680, 5]
../lib/dbwrap/dbwrap.c:127(dbwrap_lock_order_state_destructor)
release lock order 1 for
/usr/local/samba/var/lock/smbXsrv_session_global.tdb
[2017/05/10 17:16:21.262726, 5]
../source3/auth/auth.c:477(make_auth_context_subsystem)
Making default auth method list for server role = 'domain member'
[2017/05/10 17:16:21.262762, 5]
../source3/auth/auth.c:378(load_auth_module)
load_auth_module: Attempting to find an auth method to match guest
[2017/05/10 17:16:21.262789, 5]
../source3/auth/auth.c:403(load_auth_module)
load_auth_module: auth method guest has a valid init
[2017/05/10 17:16:21.262810, 5]
../source3/auth/auth.c:378(load_auth_module)
load_auth_module: Attempting to find an auth method to match sam
[2017/05/10 17:16:21.262831, 5]
../source3/auth/auth.c:403(load_auth_module)
load_auth_module: auth method sam has a valid init
[2017/05/10 17:16:21.262851, 5]
../source3/auth/auth.c:378(load_auth_module)
load_auth_module: Attempting to find an auth method to match
winbind:ntdomain
[2017/05/10 17:16:21.262872, 5]
../source3/auth/auth.c:378(load_auth_module)
load_auth_module: Attempting to find an auth method to match ntdomain
[2017/05/10 17:16:21.262894, 5]
../source3/auth/auth.c:403(load_auth_module)
load_auth_module: auth method ntdomain has a valid init
[2017/05/10 17:16:21.262913, 5]
../source3/auth/auth.c:403(load_auth_module)
load_auth_module: auth method winbind has a valid init
[2017/05/10 17:16:21.263011, 5]
../auth/gensec/gensec_start.c:681(gensec_start_mech)
Starting GENSEC mechanism spnego
[2017/05/10 17:16:21.263095, 4] ../source3/smbd/sec_ctx.c:217(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2017/05/10 17:16:21.263122, 4] ../source3/smbd/uid.c:491(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2017/05/10 17:16:21.263142, 4]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2017/05/10 17:16:21.263162, 5]
../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2017/05/10 17:16:21.263180, 5]
../source3/auth/token_util.c:640(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2017/05/10 17:16:21.263290, 5]
../auth/gensec/gensec_start.c:681(gensec_start_mech)
Starting GENSEC submechanism gse_krb5
[2017/05/10 17:16:21.792985, 4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2017/05/10 17:16:21.793124, 4] ../source3/smbd/sec_ctx.c:217(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2017/05/10 17:16:21.793144, 4] ../source3/smbd/uid.c:491(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2017/05/10 17:16:21.793153, 4]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2017/05/10 17:16:21.793172, 5]
../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2017/05/10 17:16:21.793184, 5]
../source3/auth/token_util.c:640(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2017/05/10 17:16:22.402313, 4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2017/05/10 17:16:22.402525, 3]
../auth/kerberos/kerberos_pac.c:409(kerberos_decode_pac)
Found account name from PAC: Administrator []
[2017/05/10 17:16:22.402590, 3]
../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
Kerberos ticket principal name is [Administrator at NAVIDOM.OFFICE.NAVI.PL]
[2017/05/10 17:16:22.402621, 5]
../source3/lib/username.c:181(Get_Pwnam_alloc)
Finding user NAVIDOM\Administrator
[2017/05/10 17:16:22.402632, 5]
../source3/lib/username.c:120(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as lowercase is navidom\administrator
[2017/05/10 17:16:22.405491, 5]
../source3/lib/username.c:128(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as given is NAVIDOM\Administrator
[2017/05/10 17:16:22.405757, 5]
../source3/lib/username.c:141(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as uppercase is NAVIDOM\ADMINISTRATOR
[2017/05/10 17:16:22.406002, 5]
../source3/lib/username.c:153(Get_Pwnam_internals)
Checking combinations of 0 uppercase letters in navidom\administrator
[2017/05/10 17:16:22.406057, 5]
../source3/lib/username.c:159(Get_Pwnam_internals)
Get_Pwnam_internals didn't find user [NAVIDOM\Administrator]!
[2017/05/10 17:16:22.406076, 5]
../source3/lib/username.c:181(Get_Pwnam_alloc)
Finding user Administrator
[2017/05/10 17:16:22.406090, 5]
../source3/lib/username.c:120(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as lowercase is administrator
[2017/05/10 17:16:22.406315, 5]
../source3/lib/username.c:128(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as given is Administrator
[2017/05/10 17:16:22.406566, 5]
../source3/lib/username.c:141(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as uppercase is ADMINISTRATOR
[2017/05/10 17:16:22.406802, 5]
../source3/lib/username.c:153(Get_Pwnam_internals)
Checking combinations of 0 uppercase letters in administrator
[2017/05/10 17:16:22.406827, 5]
../source3/lib/username.c:159(Get_Pwnam_internals)
Get_Pwnam_internals didn't find user [Administrator]!
[2017/05/10 17:16:22.406929, 3]
../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
get_user_from_kerberos_info: Username NAVIDOM\Administrator is
invalid on this system
[2017/05/10 17:16:22.406952, 3]
../source3/auth/auth_generic.c:145(auth3_generate_session_info_pac)
auth3_generate_session_info_pac: Failed to map kerberos principal to
system user (NT_STATUS_LOGON_FAILURE)
[2017/05/10 17:16:22.406988, 1]
../source3/smbd/sesssetup.c:290(reply_sesssetup_and_X_spnego)
Failed to generate session_info (user and group token) for session
setup: NT_STATUS_ACCESS_DENIED
[2017/05/10 17:16:22.407010, 5]
../lib/dbwrap/dbwrap.c:159(dbwrap_check_lock_order)
check lock order 1 for
/usr/local/samba/var/lock/smbXsrv_session_global.tdb
[2017/05/10 17:16:22.407070, 5]
../lib/dbwrap/dbwrap.c:127(dbwrap_lock_order_state_destructor)
release lock order 1 for
/usr/local/samba/var/lock/smbXsrv_session_global.tdb
[2017/05/10 17:16:22.407193, 3]
../source3/smbd/error.c:82(error_packet_set)
NT error packet at ../source3/smbd/sesssetup.c(293) cmd=115
(SMBsesssetupX) NT_STATUS_ACCESS_DENIED
[2017/05/10 17:16:22.407222, 5] ../source3/lib/util.c:171(show_msg)
[2017/05/10 17:16:22.407232, 5] ../source3/lib/util.c:181(show_msg)
size=35
smb_com=0x73
smb_rcls=34
smb_reh=0
smb_err=49152
smb_flg=136
smb_flg2=51203
smb_tid=0
smb_pid=2614
smb_uid=0
smb_mid=1
smt_wct=0
smb_bcc=0
[2017/05/10 17:16:22.407889, 5]
../source3/lib/util_sock.c:134(read_fd_with_timeout)
read_fd_with_timeout: blocking read. EOF from client.
[2017/05/10 17:16:22.407918, 5]
../source3/smbd/process.c:554(receive_smb_talloc)
receive_smb_raw_talloc failed for client ipv4:192.168.1.2:36348 read
error = NT_STATUS_END_OF_FILE.
[2017/05/10 17:16:22.407959, 4]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2017/05/10 17:16:22.407974, 5]
../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2017/05/10 17:16:22.407985, 5]
../source3/auth/token_util.c:640(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2017/05/10 17:16:22.408005, 5]
../source3/smbd/uid.c:425(smbd_change_to_root_user)
change_to_root_user: now uid=(0,0) gid=(0,0)
[2017/05/10 17:16:22.408037, 4]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2017/05/10 17:16:22.408051, 5]
../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2017/05/10 17:16:22.408061, 5]
../source3/auth/token_util.c:640(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2017/05/10 17:16:22.408079, 5]
../source3/smbd/uid.c:425(smbd_change_to_root_user)
change_to_root_user: now uid=(0,0) gid=(0,0)
[2017/05/10 17:16:22.408092, 4]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2017/05/10 17:16:22.408108, 5]
../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2017/05/10 17:16:22.408119, 5]
../source3/auth/token_util.c:640(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2017/05/10 17:16:22.408136, 5]
../source3/smbd/uid.c:425(smbd_change_to_root_user)
change_to_root_user: now uid=(0,0) gid=(0,0)
[2017/05/10 17:16:22.408151, 4]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2017/05/10 17:16:22.408162, 5]
../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2017/05/10 17:16:22.408172, 5]
../source3/auth/token_util.c:640(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2017/05/10 17:16:22.408188, 5]
../source3/smbd/uid.c:425(smbd_change_to_root_user)
change_to_root_user: now uid=(0,0) gid=(0,0)
[2017/05/10 17:16:22.408396, 3]
../source3/smbd/server_exit.c:246(exit_server_common)
Server exit (failed to receive smb request)
Best regards,
Olaf
Rowland Penny
2017-May-10 16:06 UTC
[Samba] Samba 4.6.0 - Domain admin can't list nor access shares on file server
On Wed, 10 May 2017 17:47:37 +0200 Olaf Frączyk via samba <samba at lists.samba.org> wrote:> Hello, > > I have domain NAVIDOM. > > There is also a fileserver that has joined the domain (both file > server and DC are samba 4.6.0). > > If I try to connect as NAVIDOM\Administrator, I cannot access the > file server (from Linux and Windows): > > [root at dc var]# smbclient -U Administrator -L fileserv > Enter NAVIDOM\Administrator's password: > session setup failed: NT_STATUS_ACCESS_DENIED > > I can do it as a regular user: > > [root at fileserv samba]# smbclient -U olaf -L fileserv > Enter NAVIDOM\olaf's password: > > Sharename Type Comment > --------- ---- ------- > > ....... > > Is this normal or do I have a problem with my setup? >Possibly normal, but it depends on your smb.conf on the Unix domain member, so can you post the smb.conf from the Unix domain member (the thing you call a fileserver) Rowland
Olaf Frączyk
2017-May-10 16:44 UTC
[Samba] Samba 4.6.0 - Domain admin can't list nor access shares on file server
On 5/10/2017 6:06 PM, Rowland Penny via samba wrote:> On Wed, 10 May 2017 17:47:37 +0200 > Olaf Frączyk via samba <samba at lists.samba.org> wrote: > >> Hello, >> >> I have domain NAVIDOM. >> >> There is also a fileserver that has joined the domain (both file >> server and DC are samba 4.6.0). >> >> If I try to connect as NAVIDOM\Administrator, I cannot access the >> file server (from Linux and Windows): >> >> [root at dc var]# smbclient -U Administrator -L fileserv >> Enter NAVIDOM\Administrator's password: >> session setup failed: NT_STATUS_ACCESS_DENIED >> >> I can do it as a regular user: >> >> [root at fileserv samba]# smbclient -U olaf -L fileserv >> Enter NAVIDOM\olaf's password: >> >> Sharename Type Comment >> --------- ---- ------- >> >> ....... >> >> Is this normal or do I have a problem with my setup? >> > Possibly normal, but it depends on your smb.conf on the Unix domain > member, so can you post the smb.conf from the Unix domain member (the > thing you call a fileserver) > > Rowland > >[global] security = ADS workgroup = NAVIDOM realm = NAVIDOM.OFFICE.NAVI.PL log file = /var/log/samba/%m.log log level = 1 idmap config * : backend = tdb idmap config * : range = 20000-20999 idmap config NAVIDOM:backend = ad idmap config NAVIDOM:schema_mode = rfc2307 idmap config NAVIDOM:range = 1000-9999 idmap config NAVIDOM:unix_nss_info = yes idmap config NAVIDOM:unix_primary_group = yes winbind use default domain = yes winbind nss info = rfc2307 winbind refresh tickets = yes template shell = /bin/bash template homedir = /home/%U create mask = 0666 directory mask= 0777 store dos attributes = yes Is this because of NAVIDOM:range = 1000-9999, so it doesn't include uid 0?