Lorenzo Milesi
2020-May-18 22:07 UTC
[Samba] Intermittent permission denied when accessing share
Thanks for the suggestions!> The latter is easiest to deal with, replace it with a CNAME in the AD dns.I did the CNAME, but when I remove the netbios alias I can see the shares list when accessing \\aliasname, but then I'm not allowed into any of them. I tried rebooting the client but same result, and I also don't see anything in the logs :(> The first will require a bit more configuration, you will need to create > a virtual network interface and assign a different ipaddress to that, > this will ensure that your DC will know what to route '10.0.0.3' to.I will deal with that asap. -- Lorenzo Milesi - lorenzo.milesi at yetopen.it YetOpen S.r.l. - https://www.yetopen.it/ Via Salerno 18 - 23900 Lecco - ITALY - Tel +39 0341 220 205 - Fax +39 178 6070 222 Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary -------- D.Lgs. 196/2003 e GDPR 679/2016 -------- Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario. Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata. Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile. Grazie. Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information; pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible. Thank you.
Lorenzo Milesi
2020-May-20 14:50 UTC
[Samba] Intermittent permission denied when accessing share
About the root problem of the thread, it seems a permission problem, but again I need some help on how to investigate further. I've just been reported a share wasn't accessible, I checked on another client and I was able to enter the folder but NOT to see the content, looked like empty. I have "hide unreadable" enabled, and while entering the share several times I noticed the file list gets populated but then disappears, so it's like when samba realizes the user doesn't have access to the files it hides them. But... Why is it happening? Restarting samba-ad-dc and refreshing the folder shows all the files. No filesystem change, no permission change. The problem usually happens before entering the share, but it seems to me the cause could be the same. I double checked the filesystem has acl support. Side note: as I enabled recycle I have vfs objects = dfs_samba4 acl_xattr recycle on every share, as indicated in the wiki. Another test I made was about the netbios alias: when the share is not working it won't help accessing it with \\fileserver, instead of using \\alias, it won't work anyway.> I did the CNAME, but when I remove the netbios alias I can see the shares list > when accessing \\aliasname, but then I'm not allowed into any of them. I tried > rebooting the client but same result, and I also don't see anything in the logs > :(Small update on the alias "thing". I did a new alias, partly to make a test. So I added the cname, added spn entries host/fqdn and host/hostname to fileserver$. Result: unable to access the server with the new alias. I get prompted for credentials (first issue), and even if I enter valid domain u/p I get rejected. After restarting Samba I'm able to browse the shares but not to enter them. I get this in logs: [2020/05/20 16:42:23.869228, 5] ../../source3/smbd/uid.c:298(print_impersonation_info) print_impersonation_info: Impersonated user: uid=(3000020,3000020), gid=(0,100), cwd=[/tmp] [2020/05/20 16:42:23.869262, 8] ../../source3/modules/vfs_dfs_samba4.c:121(dfs_samba4_get_referrals) dfs_samba4: Requested DFS name: \server\SHARE1 utf16-length: 26 [2020/05/20 16:42:23.869276, 8] ../../dfs_server/dfs_server_ad.c:815(dfs_server_ad_get_referrals) Requested DFS name: \server\SHARE1 length: 26 [2020/05/20 16:42:23.869296, 3] ../../source3/smbd/smb2_server.c:3274(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_INVALID_PARAMETER] || at ../../source3/smbd/smb2_ioctl.c:312 [2020/05/20 16:42:23.869317, 5] ../../libcli/smb/smb2_signing.c:174(smb2_signing_sign_pdu) signed SMB2 message [2020/05/20 16:42:23.869547, 5] ../../source3/smbd/uid.c:326(change_to_user_impersonate) change_to_user_impersonate: Skipping user change - already user [2020/05/20 16:42:23.869573, 5] ../../source3/smbd/uid.c:298(print_impersonation_info) print_impersonation_info: Impersonated user: uid=(3000020,3000020), gid=(0,100), cwd=[/tmp] [2020/05/20 16:42:23.869592, 8] ../../source3/modules/vfs_dfs_samba4.c:121(dfs_samba4_get_referrals) dfs_samba4: Requested DFS name: \server\SHARE1 utf16-length: 26 [2020/05/20 16:42:23.869604, 8] ../../dfs_server/dfs_server_ad.c:815(dfs_server_ad_get_referrals) Requested DFS name: \server\SHARE1 length: 26 [2020/05/20 16:42:23.869621, 3] ../../source3/smbd/smb2_server.c:3274(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_INVALID_PARAMETER] || at ../../source3/smbd/smb2_ioctl.c:312 [2020/05/20 16:42:23.869645, 5] ../../libcli/smb/smb2_signing.c:174(smb2_signing_sign_pdu) signed SMB2 message [2020/05/20 16:42:32.887052, 5] ../../source3/smbd/uid.c:326(change_to_user_impersonate) change_to_user_impersonate: Skipping user change - already user [2020/05/20 16:42:32.887148, 5] ../../source3/smbd/uid.c:298(print_impersonation_info) print_impersonation_info: Impersonated user: uid=(3000020,3000020), gid=(0,100), cwd=[/tmp] [2020/05/20 16:42:32.887177, 8] ../../source3/modules/vfs_dfs_samba4.c:121(dfs_samba4_get_referrals) dfs_samba4: Requested DFS name: \server\SHARE2 utf16-length: 34 [2020/05/20 16:42:32.887195, 8] ../../dfs_server/dfs_server_ad.c:815(dfs_server_ad_get_referrals) Requested DFS name: \server\SHARE2 length: 34 [2020/05/20 16:42:32.887223, 3] ../../source3/smbd/smb2_server.c:3274(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_INVALID_PARAMETER] || at ../../source3/smbd/smb2_ioctl.c:312 [2020/05/20 16:42:32.887248, 5] ../../libcli/smb/smb2_signing.c:174(smb2_signing_sign_pdu) signed SMB2 message [2020/05/20 16:42:32.888615, 5] ../../source3/smbd/uid.c:326(change_to_user_impersonate) change_to_user_impersonate: Skipping user change - already user [2020/05/20 16:42:32.888649, 5] ../../source3/smbd/uid.c:298(print_impersonation_info) print_impersonation_info: Impersonated user: uid=(3000020,3000020), gid=(0,100), cwd=[/tmp] I didn't try adding netbios alias to smb.conf. -- Lorenzo Milesi - lorenzo.milesi at yetopen.it YetOpen S.r.l. - https://www.yetopen.it/ Via Salerno 18 - 23900 Lecco - ITALY - Tel +39 0341 220 205 - Fax +39 178 6070 222 Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary -------- D.Lgs. 196/2003 e GDPR 679/2016 -------- Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario. Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata. Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile. Grazie. Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information; pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible. Thank you.
Lorenzo Milesi
2020-May-27 18:18 UTC
[Samba] Intermittent permission denied when accessing share
Again on the intermittent inaccessible shares. I got another case today, it seems to be happening mostly in the evening... Anyway I collected this log about the client machine. Can the "Cannot get attribute from EA on file" be the reason of the negated access? I found this[1] RH bug report which seems to describe my issue, unfortunately it's against sss and I'm not using it. Again, restarting solves the problem. [2020/05/27 18:24:35.793520, 5] ../../source3/auth/token_util.c:874(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2020/05/27 18:24:35.793567, 4] ../../source3/smbd/sec_ctx.c:438(pop_sec_ctx) pop_sec_ctx (3000066, 100) - sec_ctx_stack_ndx = 0 [2020/05/27 18:24:35.793637, 5] ../../lib/dbwrap/dbwrap.c:143(dbwrap_lock_order_lock) dbwrap_lock_order_lock: check lock order 1 for /usr/local/samba/var/lock/smbXsrv_open_global.tdb [2020/05/27 18:24:35.793659, 5] ../../lib/dbwrap/dbwrap.c:172(dbwrap_lock_order_unlock) dbwrap_lock_order_unlock: release lock order 1 for /usr/local/samba/var/lock/smbXsrv_open_global.tdb [2020/05/27 18:24:35.793683, 5] ../../libcli/smb/smb2_signing.c:174(smb2_signing_sign_pdu) signed SMB2 message [2020/05/27 18:24:35.795292, 5] ../../source3/smbd/uid.c:326(change_to_user_impersonate) change_to_user_impersonate: Skipping user change - already user [2020/05/27 18:24:35.795320, 5] ../../source3/smbd/uid.c:298(print_impersonation_info) print_impersonation_info: Impersonated user: uid=(3000066,3000066), gid=(0,100), cwd=[/home/CONDIVISI/SHARE01] [2020/05/27 18:24:35.795346, 5] ../../source3/smbd/dir.c:220(dptr_create) dptr_create: dir=2017 PAE/2 secondo-terzo trimestre 2017 inviati/2 Asdrubale 2/Tizio Caio [2020/05/27 18:24:35.795365, 5] ../../source3/smbd/dir.c:322(dptr_create) dptr_create: creating new dirptr [0] for path [2017 PAE/2 secondo-terzo trimestre 2017 inviati/2 Asdrubale 2/Tizio Caio], expect_close = 0 [2020/05/27 18:24:35.795379, 8] ../../source3/smbd/smb2_query_directory.c:493(smbd_smb2_query_directory_send) smbd_smb2_query_directory_send: dirpath=<2017 PAE/2 secondo-terzo trimestre 2017 inviati/2 Asdrubale 2/Tizio Caio> dontdescend=<>, in_output_buffer_length = 65528 [2020/05/27 18:24:35.795404, 6] ../../source3/smbd/dir.c:820(smbd_dirptr_get_entry) smbd_dirptr_get_entry: dirptr 0x55f3ceabc250 now at offset 0 [2020/05/27 18:24:35.795423, 8] ../../source3/smbd/dosmode.c:779(dos_mode) dos_mode: 2017 PAE/2 secondo-terzo trimestre 2017 inviati/2 Asdrubale 2/Tizio Caio/. [2020/05/27 18:24:35.795439, 5] ../../source3/smbd/dosmode.c:449(get_ea_dos_attribute) get_ea_dos_attribute: Cannot get attribute from EA on file 2017 PAE/2 secondo-terzo trimestre 2017 inviati/2 Asdrubale 2/Tizio Caio/.: Error = No data available [2020/05/27 18:24:35.795455, 5] ../../source3/smbd/dosmode.c:72(dos_mode_debug_print) dos_mode_debug_print: dos_mode returning (0x10): "d" [2020/05/27 18:24:35.795467, 3] ../../source3/smbd/dir.c:911(smbd_dirptr_get_entry) smbd_dirptr_get_entry mask=[*] found 2017 PAE/2 secondo-terzo trimestre 2017 inviati/2 Asdrubale 2/Tizio Caio/. fname=. (.) [2020/05/27 18:24:35.795494, 6] ../../source3/smbd/dir.c:820(smbd_dirptr_get_entry) smbd_dirptr_get_entry: dirptr 0x55f3ceabc250 now at offset 2147483648 [2020/05/27 18:24:35.795511, 8] ../../source3/smbd/dosmode.c:779(dos_mode) dos_mode: 2017 PAE/2 secondo-terzo trimestre 2017 inviati/2 Asdrubale 2/Tizio Caio/.. [2020/05/27 18:24:35.795527, 5] ../../source3/smbd/dosmode.c:449(get_ea_dos_attribute) get_ea_dos_attribute: Cannot get attribute from EA on file 2017 PAE/2 secondo-terzo trimestre 2017 inviati/2 Asdrubale 2/Tizio Caio/..: Error = No data available [2020/05/27 18:24:35.795542, 5] ../../source3/smbd/dosmode.c:72(dos_mode_debug_print) dos_mode_debug_print: dos_mode returning (0x10): "d" [2020/05/27 18:24:35.795553, 3] ../../source3/smbd/dir.c:911(smbd_dirptr_get_entry) smbd_dirptr_get_entry mask=[*] found 2017 PAE/2 secondo-terzo trimestre 2017 inviati/2 Asdrubale 2/Tizio Caio/.. fname=.. (..) [2020/05/27 18:24:35.795595, 4] ../../source3/smbd/sec_ctx.c:216(push_sec_ctx) push_sec_ctx(3000066, 100) : sec_ctx_stack_ndx = 1 [2020/05/27 18:24:35.795611, 4] ../../source3/smbd/uid.c:566(push_conn_ctx) push_conn_ctx(3735803670) : conn_ctx_stack_ndx = 0 [2020/05/27 18:24:35.795622, 4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2020/05/27 18:24:35.795633, 5] ../../libcli/security/security_token.c:52(security_token_debug) Security token: (NULL) [2020/05/27 18:24:35.795643, 5] ../../source3/auth/token_util.c:874(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2020/05/27 18:24:35.795685, 4] ../../source3/smbd/sec_ctx.c:438(pop_sec_ctx) pop_sec_ctx (3000066, 100) - sec_ctx_stack_ndx = 0 [2020/05/27 18:24:35.795738, 6] ../../source3/smbd/dir.c:820(smbd_dirptr_get_entry) smbd_dirptr_get_entry: dirptr 0x55f3ceabc250 now at offset 996093369490470357 [2020/05/27 18:24:35.795755, 8] ../../source3/smbd/dosmode.c:779(dos_mode) dos_mode: 2017 PAE/2 secondo-terzo trimestre 2017 inviati/2 Asdrubale 2/Tizio Caio/2017.07.03 Tizio Caio.pdf [2020/05/27 18:24:35.795772, 5] ../../source3/smbd/dosmode.c:449(get_ea_dos_attribute) get_ea_dos_attribute: Cannot get attribute from EA on file 2017 PAE/2 secondo-terzo trimestre 2017 inviati/2 Asdrubale 2/Tizio Caio/2017.07.03 Tizio Caio.pdf: Error = No data available After restarting: [2020/05/27 18:33:22.847436, 8] ../../source3/smbd/dosmode.c:779(dos_mode) dos_mode: 2019_2020_aggiornamenti_2-aggiornato.xlsx [2020/05/27 18:33:22.847458, 5] ../../source3/smbd/dosmode.c:72(dos_mode_debug_print) dos_mode_debug_print: parse_dos_attribute_blob returning (0x20): "a" [2020/05/27 18:33:22.847472, 5] ../../source3/smbd/dosmode.c:72(dos_mode_debug_print) dos_mode_debug_print: dos_mode returning (0x20): "a" [2020/05/27 18:33:22.847488, 4] ../../source3/smbd/sec_ctx.c:216(push_sec_ctx) push_sec_ctx(3000066, 100) : sec_ctx_stack_ndx = 1 [2020/05/27 18:33:22.847502, 4] ../../source3/smbd/uid.c:566(push_conn_ctx) push_conn_ctx(3547027380) : conn_ctx_stack_ndx = 0 [2020/05/27 18:33:22.847513, 4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2020/05/27 18:33:22.847524, 5] ../../libcli/security/security_token.c:52(security_token_debug) Security token: (NULL) [2020/05/27 18:33:22.847534, 5] ../../source3/auth/token_util.c:874(debug_unix_user_token) UNIX token of user 0 Thanks again.> About the root problem of the thread, it seems a permission problem, but again I > need some help on how to investigate further. I've just been reported a share > wasn't accessible, I checked on another client and I was able to enter the > folder but NOT to see the content, looked like empty. I have "hide unreadable" > enabled, and while entering the share several times I noticed the file list > gets populated but then disappears, so it's like when samba realizes the user > doesn't have access to the files it hides them. But... Why is it happening? > Restarting samba-ad-dc and refreshing the folder shows all the files. No > filesystem change, no permission change. > The problem usually happens before entering the share, but it seems to me the > cause could be the same. > > I double checked the filesystem has acl support. > > Side note: as I enabled recycle I have > vfs objects = dfs_samba4 acl_xattr recycle > on every share, as indicated in the wiki.[1] https://bugzilla.redhat.com/show_bug.cgi?id=1657665 -- Lorenzo Milesi - lorenzo.milesi at yetopen.it YetOpen S.r.l. - https://www.yetopen.it/ Via Salerno 18 - 23900 Lecco - ITALY - Tel +39 0341 220 205 - Fax +39 178 6070 222 Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary -------- D.Lgs. 196/2003 e GDPR 679/2016 -------- Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario. Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata. Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile. Grazie. Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information; pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible. Thank you.
Seemingly Similar Threads
- Samba is still crashing
- Intermittent permission denied when accessing share
- vfs_shadow_copy2: permission denied - SMB_VFS_NEXT_OPENDIR() failed for '/snapshots'
- Samba omitting the user group setting, might be a bug
- In mac guest user is not working when AD connected - samba 4.9.3