Ing. Claudio Nicora
2018-Jul-05  12:03 UTC
[Samba] NT_STATUS_NO_MEMORY accessing a DC shared resource
I have a working Samba 4.7.6 DC with the default /sysvol and /netlogon shares. These shares work perfectly and domain users can access them without any issue. Now, to ease experimenting with config files and stuff (it's not a production server), I've added a /rootdisk share (path=/) limiting its access ro root and domain admins: --------- # cat /etc/samba/smb.conf [global] bind interfaces only = Yes interfaces = lo eth_lan netbios name = SRVADDC realm = SAMDOM.LOCAL server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = SAMDOM #username map = /etc/samba/username.map [netlogon] path = /var/lib/samba/sysvol/samdom.it/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No [RootDisk] path = / read only = No valid users = root SAMDOM\myuser @"SAMDOM\domain admins" force user = root force group = root create mode = 0640 force create mode = 0640 ----- It worked at first but now, after about 2 days, it stopped working and I can't connect to it from Windows anymore. Running this from a command prompt: net use * \\srvaddc.samdom.local\RootDisk returns this error message (translated from localized one, so it could not be exactly the same in English): ----- System error 8. Insufficient memory to execute the command ----- This is the samba log (level 4) of the client trying to connect with the NT_STATUS_NO_MEMORY error: ----- [2018/07/05 13:48:12.411901, 3] ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect) ldb_wrap open of secrets.ldb [2018/07/05 13:48:12.423964, 3] ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect) ldb_wrap open of privilege.ldb [2018/07/05 13:48:12.480798, 3] ../source3/smbd/password.c:144(register_homes_share) Adding homes service for user 'SAMDOM\myuser' using home directory: '/home/SAMDOM/myuser' [2018/07/05 13:48:12.482416, 3] ../lib/util/access.c:365(allow_access) Allowed connection from 10.0.0.10 (10.0.0.10) [2018/07/05 13:48:12.482509, 3] ../source3/smbd/service.c:595(make_connection_snum) Connect path is '/tmp' for service [IPC$] [2018/07/05 13:48:12.482581, 3] ../source3/smbd/vfs.c:113(vfs_init_default) Initialising default vfs hooks [2018/07/05 13:48:12.482619, 3] ../source3/smbd/vfs.c:139(vfs_init_custom) Initialising custom vfs hooks from [/[Default VFS]/] [2018/07/05 13:48:12.482657, 3] ../source3/smbd/vfs.c:139(vfs_init_custom) Initialising custom vfs hooks from [acl_xattr] [2018/07/05 13:48:12.482696, 3] ../source3/smbd/vfs.c:139(vfs_init_custom) Initialising custom vfs hooks from [dfs_samba4] [2018/07/05 13:48:12.482738, 2] ../source3/modules/vfs_acl_xattr.c:236(connect_acl_xattr) connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service IPC$ [2018/07/05 13:48:12.485807, 3] ../source3/smbd/service.c:841(make_connection_snum) 10.0.0.10 (ipv4:10.0.0.10:50263) connect to service IPC$ initially as user SAMDOM\myuser (uid=3000071, gid=100) (pid 11670) [2018/07/05 13:48:12.486968, 3] ../source3/smbd/msdfs.c:1008(get_referred_path) get_referred_path: |RootDisk| in dfs path \srvaddc.samdom.it\RootDisk is not a dfs root. [2018/07/05 13:48:12.487048, 3] ../source3/smbd/smb2_server.c:3139(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NOT_FOUND] || at ../source3/smbd/smb2_ioctl.c:309 [2018/07/05 13:48:12.489682, 3] ../lib/util/access.c:365(allow_access) Allowed connection from 10.0.0.10 (10.0.0.10) [2018/07/05 13:48:12.489742, 3] ../libcli/security/dom_sid.c:210(dom_sid_parse_endp) string_to_sid: SID root is not in a valid format [2018/07/05 13:48:12.491233, 3] ../libcli/security/dom_sid.c:210(dom_sid_parse_endp) string_to_sid: SID SAMDOM\myuser is not in a valid format [2018/07/05 13:48:12.558201, 1] ../source3/param/loadparm.c:2480(lp_idmap_range) idmap range not specified for domain '*' [2018/07/05 13:48:12.577539, 1] ../source3/auth/token_util.c:442(add_local_groups) SID S-1-5-21-299502267-616249376-1417001333-4174 -> getpwuid(3000002) failed [2018/07/05 13:48:12.577678, 3] ../source3/smbd/smb2_server.c:3139(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NO_MEMORY] || at ../source3/smbd/smb2_tcon.c:135 [2018/07/05 13:48:14.672221, 2] ../source3/smbd/service.c:1120(close_cnum) 10.0.0.10 (ipv4:10.0.0.10:50263) closed connection to service sysvol ----- What shall I check?
Rowland Penny
2018-Jul-05  12:23 UTC
[Samba] NT_STATUS_NO_MEMORY accessing a DC shared resource
On Thu, 5 Jul 2018 14:03:43 +0200 "Ing. Claudio Nicora via samba" <samba at lists.samba.org> wrote:> I have a working Samba 4.7.6 DC with the default /sysvol > and /netlogon shares. > > These shares work perfectly and domain users can access them without > any issue. > > Now, to ease experimenting with config files and stuff (it's not a > production server), I've added a /rootdisk share (path=/) limiting > its access ro root and domain admins: > > --------- > # cat /etc/samba/smb.conf > [global] > bind interfaces only = Yes > interfaces = lo eth_lan > netbios name = SRVADDC > realm = SAMDOM.LOCAL > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate > workgroup = SAMDOM > #username map = /etc/samba/username.map > > [netlogon] > path = /var/lib/samba/sysvol/samdom.it/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > [RootDisk] > path = / > read only = No > valid users = root SAMDOM\myuser @"SAMDOM\domain admins" > force user = root > force group = root > create mode = 0640 > force create mode = 0640 > ----- > > It worked at first but now, after about 2 days, it stopped working > and I can't connect to it from Windows anymore. > > > What shall I check? >Your glasses (or lack of) ;-) If you read this: https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Using_the_Domain_Controller_as_a_File_Server You will find this: If you must use the Samba DC as a fileserver, you should be aware that the auto-enabled acl_xattr virtual file system (VFS) object enables you to only configure shares with Windows access control lists (ACL). Running shares with POSIX ACLs on a Samba DC is not supported and will not work. Or to put it another way, you must set the permissions from Windows This is one of the problems/features of using a DC as a fileserver. Remove everything after the 'read only = No' line and read this: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs Rowland
Ing. Claudio Nicora
2018-Jul-05  13:29 UTC
[Samba] NT_STATUS_NO_MEMORY accessing a DC shared resource
> Your glasses (or lack of) ;-)I usually agree, but in this case I've seen that warning and voluntarily ignored it because it worked for 2 days... I thought I was lucky ;-)> Or to put it another way, you must set the permissions from Windows > > This is one of the problems/features of using a DC as a fileserver. > > Remove everything after the 'read only = No' line and read this: > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > > RowlandI've changed smb.conf as suggested, then changed permissions from Linux (Windows Explorer gave access denied when enumerating object content): # setfacl -m "default:group:SAMDOM:rwx" / # setfacl -m "group:SAMDOM\Domain Admins:rwx" / # ... restricted access at minimum ... # setfacl -m "default:other::" / # setfacl -m "other::" / Now the share works and I can edit/copy/delete files without issues. There's a last thing I'd like to fix: when I create a new file, it got created with these permissions: ----- # ls -l -rwxrwx---+ 1 3000000 users 0 Jul 5 15:11 'New text document.txt'* ----- Is there a way to force it being created with root:root as owner and possibly with more strict permissions (I'm scared I'll forgot the permission issue in the near future)? Rowland, thanks for your help and patience ;-)