Sebastian Arcus
2018-Mar-12 13:17 UTC
[Samba] NT_STATUS_ACCESS_DENIED listing \* on Samba AD - out of the blue
On 12/03/18 12:56, Rowland Penny via samba wrote:> On Mon, 12 Mar 2018 11:36:47 +0000 > Sebastian Arcus via samba <samba at lists.samba.org> wrote: > >> >> On 12/03/18 11:28, Rowland Penny via samba wrote: >>> On Mon, 12 Mar 2018 11:11:44 +0000 >>> Sebastian Arcus via samba <samba at lists.samba.org> wrote: >>> >>>> I have a Samba AD running Samba 4.7.5. Everything was working fine, >>>> when, seemingly out of the blue, the users started to be denied >>>> access to all shares. If I try from a Windows 7 or Windows 10 >>>> machine, logged in as a user in "Domain Uses", I get: >>>> >>>> "Windows cannot access \\server-name\share_name. You do not have >>>> permission to access \\server-name\share_name" >>>> >>>> If I use smbclient, it allows me to login on the share, but if I do >>>> 'ls', I get: >>>> >>>> smb: \> ls >>>> NT_STATUS_ACCESS_DENIED listing \* >>>> >>>> I have tried the following: >>>> >>>> 1. The Domain admin can still access the shares - both from >>>> smbclient and from Windows machines. >>>> >>>> 2. I have checked the acl's on the server, they look ok: >>>> >>>> # getfacl share_name/ >>>> # file: clients/ >>>> # owner: root >>>> # group: MYDOMAIN\134domain\040users >>>> user::rwx >>>> group::rwx >>>> group:MYDOMAIN\134domain\040users:rwx >>>> mask::rwx >>>> other::rwx >>>> default:user::rwx >>>> default:group::rwx >>>> default:group:MYDOMAIN\134domain\040users:rwx >>>> default:mask::rwx >>>> default:other::--- >>>> >>>> 3. "wbinfo -g" and "wbinfo -u" work correctly >>>> >>>> 4. Kerberos tests work correctly >>>> >>>> 5. There are no errors in the Bind/dns configuration >>>> >>>> 6. I have logged in through Windows and reset the permissions there >>>> to allow "Domain Users" on the share >>>> >>>> 7. All my smb.conf shares look like this: >>>> >>>> [share_name] >>>> path = /srv/samba/share_name >>>> read only = No >>>> inherit acls = yes >>>> >>>> >>>> I am at a loss how "Domain Users" is denied access to the share, >>>> when everything appears to be fine. Any suggestions much >>>> appreciated! >>>> >>> >>> Can you post your entire smb.conf (as on disk) >> >> >> Hi Rowland. Please find the smb.conf below: >> >> >> # Global parameters >> [global] >> netbios name = HEBU-SERVER >> realm = HEBU.LAN >> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, >> drepl, winbindd, ntp_signd, kcc, dnsupdate >> workgroup = HEBU >> server role = active directory domain controller >> idmap_ldb:use rfc2307 = yes >> >> bind interfaces only = Yes >> interfaces = lo br0 tun0 >> > > There are few default settings there, but nothing really wrong except > for 'inherit acls = yes'. You cannot use things like this on DC, you > need to set the permissions from windows, see here:I actually added 'inherit acls = yes' after the problem started, just in case. I used the second link below to set the permissions from Windows - adding 'Domain Users' to the list (when logged in as the domain Administrator - which it let me). But I still can't access them using any other domain user. I just discovered that even if I add users to the 'Domain Admins' group, they are still not allowed to access the shares.> > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Using_the_Domain_Controller_as_a_File_Server > > and: > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > > I don't think this is your main problem though, did the problem start > after a windows update ? > I think your clients are possibly trying to connect with NTLMv2If that was the case, shouldn't smbclient continue to work? I can't list the contents of the shares even using smbclient.
Rowland Penny
2018-Mar-12 14:28 UTC
[Samba] NT_STATUS_ACCESS_DENIED listing \* on Samba AD - out of the blue
On Mon, 12 Mar 2018 13:17:19 +0000 Sebastian Arcus via samba <samba at lists.samba.org> wrote:> On 12/03/18 12:56, Rowland Penny via samba wrote: > > > > I don't think this is your main problem though, did the problem > > start after a windows update ? > > I think your clients are possibly trying to connect with NTLMv2 > > If that was the case, shouldn't smbclient continue to work? I can't > list the contents of the shares even using smbclient.OK, I ran some tests on one of my DCs: root at dc1:~# smbclient -L localhost Enter Administrator at SAMDOM.EXAMPLE.COM's password: Anonymous login successful Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk data Disk IPC$ IPC IPC Service (Samba 4.7.5-Debian) Reconnecting with SMB1 for workgroup listing. Anonymous login successful Server Comment --------- ------- Workgroup Master --------- ------- WORKGROUP DC1 Anonymous login works. root at dc1:~# smbclient '\\dc1\data' Enter Administrator at SAMDOM.EXAMPLE.COM's password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Fri Aug 15 12:55:50 2014 .. D 0 Sun Dec 17 13:19:43 2017 staff D 0 Fri Aug 15 12:55:50 2014 456646960 blocks of size 1024. 338538048 blocks available smb: \> exit root at dc1:~# smbclient '\\dc1\data' rowland Anonymous login successful tree connect failed: NT_STATUS_ACCESS_DENIED root at dc1:~# smbclient '\\dc1\data' -U rowland Enter SAMDOM\rowland's password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Fri Aug 15 12:55:50 2014 .. D 0 Sun Dec 17 13:19:43 2017 staff D 0 Fri Aug 15 12:55:50 2014 456646960 blocks of size 1024. 338538048 blocks available smb: \> exit Connecting to the share as Administrator works. root at dc1:~# smbclient '\\dc1\data' <domain user> Anonymous login successful tree connect failed: NT_STATUS_ACCESS_DENIED root at dc1:~# smbclient '\\dc1\data' -U <domain user> Enter SAMDOM\<domain user>'s password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Fri Aug 15 12:55:50 2014 .. D 0 Sun Dec 17 13:19:43 2017 staff D 0 Fri Aug 15 12:55:50 2014 456646960 blocks of size 1024. 338538048 blocks available smb: \> exit connecting to the share as a normal domain user works. This shows the Unix permissions on the share: root at dc1:~# ls -lad /home/shared drwxr-xr-x 3 root root 4096 Aug 15 2014 /home/shared And this is the output of getfacl: root at dc1:~# getfacl /home/shared/ getfacl: Removing leading '/' from absolute path names # file: home/shared/ # owner: root # group: root user::rwx group::r-x group:SAMDOM\134domain\040users:rwx mask::rwx other::r-x I then connected to the share from a Linux machine as the domain user and created a file, 'ls' now shows this: root at dc1:~# ls /home/shared/ hello.txt staff root at dc1:~# ls -la /home/shared/ total 20 drwxrwxr-x+ 3 root root 4096 Mar 12 14:05 . drwxr-xr-x 10 root root 4096 Dec 17 13:19 .. -rwxrwxr-x+ 1 SAMDOM\<domain user> SAMDOM\domain users 0 Mar 12 14:05 hello.txt drwxrwxrwx+ 2 SAMDOM\<domain user> 10001 4096 Aug 15 2014 staff If, something like the above doesn't work for you, then something is wrong. Does 'getent passwd username' produce output ? Rowland
Sebastian Arcus
2018-Mar-12 16:10 UTC
[Samba] NT_STATUS_ACCESS_DENIED listing \* on Samba AD - out of the blue
On 12/03/18 14:28, Rowland Penny via samba wrote:> On Mon, 12 Mar 2018 13:17:19 +0000 > Sebastian Arcus via samba <samba at lists.samba.org> wrote: > >> On 12/03/18 12:56, Rowland Penny via samba wrote: >>> >>> I don't think this is your main problem though, did the problem >>> start after a windows update ? >>> I think your clients are possibly trying to connect with NTLMv2 >> >> If that was the case, shouldn't smbclient continue to work? I can't >> list the contents of the shares even using smbclient. > > OK, I ran some tests on one of my DCs:I feel like a complete idiot. My Samba shares are under /srv/samba, and after 8 hours of troubleshooting, I discovered that /srv was missing the execute bit for 'other' - so regular users didn't have the permission to traverse the tree any more. Friday towards the end of the day I must have copied something under /srv, which unbeknownst to me, reset the permissions on /srv. From that moment on all regular users lost access to their shares. I can't believe I have pretty much taken this server apart, upgraded and downgraded kernels, upgraded and downgraded Samba packages and did all sorts of troubleshooting - yet I never spotted the missing permissions! It is true the the /srv/samba path was never explicitly mentioned in the logs, but still - I am sorry for the noise. Thank for all the suggestions in the message above.
Possibly Parallel Threads
- NT_STATUS_ACCESS_DENIED listing \* on Samba AD - out of the blue
- NT_STATUS_ACCESS_DENIED listing \* on Samba AD - out of the blue
- NT_STATUS_ACCESS_DENIED listing \* on Samba AD - out of the blue
- NT_STATUS_ACCESS_DENIED listing \* on Samba AD - out of the blue
- NT_STATUS_ACCESS_DENIED listing \* on Samba AD - out of the blue