samba - Mar 2018 - NT_STATUS_ACCESS_DENIED listing \* on Samba AD - out of the blue

On 12/03/18 12:56, Rowland Penny via samba wrote:
> On Mon, 12 Mar 2018 11:36:47 +0000
> Sebastian Arcus via samba <samba at lists.samba.org> wrote:
> 
>>
>> On 12/03/18 11:28, Rowland Penny via samba wrote:
>>> On Mon, 12 Mar 2018 11:11:44 +0000
>>> Sebastian Arcus via samba <samba at lists.samba.org> wrote:
>>>
>>>> I have a Samba AD running Samba 4.7.5. Everything was working
fine,
>>>> when, seemingly out of the blue, the users started to be denied
>>>> access to all shares. If I try from a Windows 7 or Windows 10
>>>> machine, logged in as a user in "Domain Uses", I get:
>>>>
>>>> "Windows cannot access \\server-name\share_name. You do
not have
>>>> permission to access \\server-name\share_name"
>>>>
>>>> If I use smbclient, it allows me to login on the share, but if
I do
>>>> 'ls', I get:
>>>>
>>>> smb: \> ls
>>>> NT_STATUS_ACCESS_DENIED listing \*
>>>>
>>>> I have tried the following:
>>>>
>>>> 1. The Domain admin can still access the shares - both from
>>>> smbclient and from Windows machines.
>>>>
>>>> 2. I have checked the acl's on the server, they look ok:
>>>>
>>>> # getfacl share_name/
>>>> # file: clients/
>>>> # owner: root
>>>> # group: MYDOMAIN\134domain\040users
>>>> user::rwx
>>>> group::rwx
>>>> group:MYDOMAIN\134domain\040users:rwx
>>>> mask::rwx
>>>> other::rwx
>>>> default:user::rwx
>>>> default:group::rwx
>>>> default:group:MYDOMAIN\134domain\040users:rwx
>>>> default:mask::rwx
>>>> default:other::---
>>>>
>>>> 3. "wbinfo -g" and "wbinfo -u" work
correctly
>>>>
>>>> 4. Kerberos tests work correctly
>>>>
>>>> 5. There are no errors in the Bind/dns configuration
>>>>
>>>> 6. I have logged in through Windows and reset the permissions
there
>>>> to allow "Domain Users" on the share
>>>>
>>>> 7. All my smb.conf shares look like this:
>>>>
>>>> [share_name]
>>>> path = /srv/samba/share_name
>>>> read only = No
>>>> inherit acls = yes
>>>>
>>>>
>>>> I am at a loss how "Domain Users" is denied access to
the share,
>>>> when everything appears to be fine. Any suggestions much
>>>> appreciated!
>>>>
>>>
>>> Can you post your entire smb.conf (as on disk)
>>
>>
>> Hi Rowland. Please find the smb.conf below:
>>
>>
>> # Global parameters
>> [global]
>>           netbios name = HEBU-SERVER
>>           realm = HEBU.LAN
>>           server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>>           workgroup = HEBU
>>           server role = active directory domain controller
>>           idmap_ldb:use rfc2307 = yes
>>
>>           bind interfaces only = Yes
>>           interfaces = lo br0 tun0
>>
> 
> There are few default settings there, but nothing really wrong except
> for 'inherit acls = yes'. You cannot use things like this on DC,
you
> need to set the permissions from windows, see here:
I actually added 'inherit acls = yes' after the problem started, just in
case. I used the second link below to set the permissions from Windows - 
adding 'Domain Users' to the list (when logged in as the domain 
Administrator - which it let me). But I still can't access them using 
any other domain user. I just discovered that even if I add users to the 
'Domain Admins' group, they are still not allowed to access the shares.
> 
>
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Using_the_Domain_Controller_as_a_File_Server
> 
> and:
> 
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> 
> I don't think this is your main problem though, did the problem start
> after a windows update ?
> I think your clients are possibly trying to connect with NTLMv2
If that was the case, shouldn't smbclient continue to work? I can't list
the contents of the shares even using smbclient.

On Mon, 12 Mar 2018 13:17:19 +0000
Sebastian Arcus via samba <samba at lists.samba.org> wrote:
> On 12/03/18 12:56, Rowland Penny via samba wrote:
> > 
> > I don't think this is your main problem though, did the problem
> > start after a windows update ?
> > I think your clients are possibly trying to connect with NTLMv2
> 
> If that was the case, shouldn't smbclient continue to work? I can't
> list the contents of the shares even using smbclient.
OK, I ran some tests on one of my DCs:

root at dc1:~# smbclient -L localhost
Enter Administrator at SAMDOM.EXAMPLE.COM's password: 
Anonymous login successful

	Sharename       Type      Comment
	---------       ----      -------
	netlogon        Disk      
	sysvol          Disk      
	data            Disk      
	IPC$            IPC       IPC Service (Samba 4.7.5-Debian)
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------
	WORKGROUP            DC1

Anonymous login works.

root at dc1:~# smbclient '\\dc1\data'
Enter Administrator at SAMDOM.EXAMPLE.COM's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Aug 15 12:55:50 2014
  ..                                  D        0  Sun Dec 17 13:19:43 2017
  staff                               D        0  Fri Aug 15 12:55:50 2014

		456646960 blocks of size 1024. 338538048 blocks available
smb: \> exit

root at dc1:~# smbclient '\\dc1\data' rowland
Anonymous login successful
tree connect failed: NT_STATUS_ACCESS_DENIED
root at dc1:~# smbclient '\\dc1\data' -U rowland
Enter SAMDOM\rowland's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Aug 15 12:55:50 2014
  ..                                  D        0  Sun Dec 17 13:19:43 2017
  staff                               D        0  Fri Aug 15 12:55:50 2014

		456646960 blocks of size 1024. 338538048 blocks available
smb: \> exit

Connecting to the share as Administrator works.

root at dc1:~# smbclient '\\dc1\data' <domain user>
Anonymous login successful
tree connect failed: NT_STATUS_ACCESS_DENIED
root at dc1:~# smbclient '\\dc1\data' -U <domain user>
Enter SAMDOM\<domain user>'s password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Aug 15 12:55:50 2014
  ..                                  D        0  Sun Dec 17 13:19:43 2017
  staff                               D        0  Fri Aug 15 12:55:50 2014

		456646960 blocks of size 1024. 338538048 blocks available
smb: \> exit

connecting to the share as a normal domain user works.

This shows the Unix permissions on the share:

root at dc1:~# ls -lad /home/shared
drwxr-xr-x 3 root root 4096 Aug 15  2014 /home/shared

And this is the output of getfacl:

root at dc1:~# getfacl /home/shared/
getfacl: Removing leading '/' from absolute path names
# file: home/shared/
# owner: root
# group: root
user::rwx
group::r-x
group:SAMDOM\134domain\040users:rwx
mask::rwx
other::r-x

I then connected to the share from a Linux machine as the domain user
and created a file, 'ls' now shows this:

root at dc1:~# ls /home/shared/
hello.txt  staff
root at dc1:~# ls -la /home/shared/
total 20
drwxrwxr-x+  3 root         root                4096 Mar 12 14:05 .
drwxr-xr-x  10 root         root                4096 Dec 17 13:19 ..
-rwxrwxr-x+  1 SAMDOM\<domain user> SAMDOM\domain users    0 Mar 12 14:05
hello.txt
drwxrwxrwx+  2 SAMDOM\<domain user>               10001 4096 Aug 15
2014 staff

If, something like the above doesn't work for you, then something is
wrong.

Does 'getent passwd username' produce output ?

Rowland

On 12/03/18 14:28, Rowland Penny via samba wrote:
> On Mon, 12 Mar 2018 13:17:19 +0000
> Sebastian Arcus via samba <samba at lists.samba.org> wrote:
> 
>> On 12/03/18 12:56, Rowland Penny via samba wrote:
>>>
>>> I don't think this is your main problem though, did the problem
>>> start after a windows update ?
>>> I think your clients are possibly trying to connect with NTLMv2
>>
>> If that was the case, shouldn't smbclient continue to work? I
can't
>> list the contents of the shares even using smbclient.
> 
> OK, I ran some tests on one of my DCs:
I feel like a complete idiot. My Samba shares are under /srv/samba, and 
after 8 hours of troubleshooting, I discovered that /srv was missing the 
execute bit for 'other' - so regular users didn't have the
permission to
traverse the tree any more. Friday towards the end of the day I must 
have copied something under /srv, which unbeknownst to me, reset the 
permissions on /srv. From that moment on all regular users lost access 
to their shares. I can't believe I have pretty much taken this server 
apart, upgraded and downgraded kernels, upgraded and downgraded Samba 
packages and did all sorts of troubleshooting - yet I never spotted the 
missing permissions! It is true the the /srv/samba path was never 
explicitly mentioned in the logs, but still - I am sorry for the noise.

Thank for all the suggestions in the message above.