Chris Olive
2020-Sep-24 02:23 UTC
[Samba] Can't connect after AuthN: NT_STATUS_ACCESS_DENIED
Been using Samba since the early days and it's always worked terrifically. Install it from RPM or apt or yum, make a few tweaks to the smb.conf and I'm off and running without fail. So to run into a situation where I'm getting denied has really stumped me. I dialed up logging to try and get a peek into what's failing and things start falling apart around NT_STATUS_ACCESS_DENIED and then my connection gets shut down. I can see Samba authenticating me just fine, mapping my username to the correct /home directory, the right UID and GID (first line in attached log)... Everything is going swimmingly and then PLONK. I have no idea what it's borking on. SELinux dialed down to permissive. I've tried swapping tdbsam database for swbpasswd... nothing seems to work. Even with this logging, I'm still shooting in the dark. I'm connecting from a Mac to a Samba server running on a CentOS 8 VM under VMware Fusion on my Mac. 172.16.112.1 is the VMware gateway, so I'm wondering about that part of it, but in fiddling with the firewall on the CentOS 8 VM itself, I can change the behavior enough to see it's getting through properly. All necessary ports are open (137-139, 445). I'm stuck at this point. Makes zero sense to me. I have a very similar set up in another CentOS 8 box that works flawlessly as every other installation I've done in 20 years. [Snipped lines above that show successful AuthN, forced mapping to "Domain Users", etc. all correct] colive-12867 (ipv4:172.16.112.1:56106) connect to service IPC$ initially as user chris (uid=1000, gid=1000) (pid 98051) [2020/09/23 19:03:37.024156, 3] ../../source3/rpc_server/srv_pipe.c:751(api_pipe_bind_req) api_pipe_bind_req: lsarpc -> lsarpc rpc service [2020/09/23 19:03:37.024174, 3] ../../source3/rpc_server/srv_pipe.c:356(check_bind_req) check_bind_req for lsarpc context_id=0 [2020/09/23 19:03:37.024184, 3] ../../source3/rpc_server/srv_pipe.c:399(check_bind_req) check_bind_req: lsarpc -> lsarpc rpc service [2020/09/23 19:03:37.024199, 5] ../../source3/auth/auth.c:547(make_auth3_context_for_ntlm) Making default auth method list for server role = 'standalone server', encrypt passwords = yes [2020/09/23 19:03:37.024208, 5] ../../source3/auth/auth.c:423(load_auth_module) load_auth_module: Attempting to find an auth method to match anonymous [2020/09/23 19:03:37.024214, 5] ../../source3/auth/auth.c:448(load_auth_module) load_auth_module: auth method anonymous has a valid init [2020/09/23 19:03:37.024217, 5] ../../source3/auth/auth.c:423(load_auth_module) load_auth_module: Attempting to find an auth method to match sam_ignoredomain [2020/09/23 19:03:37.024220, 5] ../../source3/auth/auth.c:448(load_auth_module) load_auth_module: auth method sam_ignoredomain has a valid init [2020/09/23 19:03:37.024760, 3] ../../source3/rpc_server/srv_pipe.c:1531(api_rpcTNP) api_rpcTNP: rpc command: LSA_GETUSERNAME [2020/09/23 19:03:37.025554, 3] ../../source3/rpc_server/srv_pipe.c:1531(api_rpcTNP) api_rpcTNP: rpc command: LSA_OPENPOLICY2 [2020/09/23 19:03:37.026233, 3] ../../source3/rpc_server/srv_pipe.c:1531(api_rpcTNP) api_rpcTNP: rpc command: LSA_LOOKUPNAMES [2020/09/23 19:03:37.026401, 3] ../../source3/passdb/lookup_sid.c:1606(get_primary_group_sid) Forcing Primary Group to 'Domain Users' for chris [2020/09/23 19:03:37.027169, 3] ../../source3/rpc_server/srv_pipe.c:1531(api_rpcTNP) api_rpcTNP: rpc command: LSA_CLOSE [2020/09/23 19:03:37.028187, 3] ../../source3/smbd/service.c:1131(close_cnum) colive-12867 (ipv4:172.16.112.1:56106) closed connection to service IPC$ [2020/09/23 19:03:37.029241, 3] ../../source3/smbd/smb2_server.c:3266(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:296 [2020/09/23 19:03:37.029259, 3] ../../source3/smbd/smb2_server.c:3266(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[5] status[NT_STATUS_FILE_CLOSED] || at ../../source3/smbd/smb2_server.c:2633 [2020/09/23 19:03:37.029266, 3] ../../source3/smbd/smb2_server.c:3266(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[9] status[NT_STATUS_FILE_CLOSED] || at ../../source3/smbd/smb2_server.c:2633 [2020/09/23 19:03:37.029554, 2] ../../source3/smbd/service.c:1131(close_cnum) colive-12867 (ipv4:172.16.112.1:56106) closed connection to service chris Chris -- Chris Olive | chris at TechnologEase.com
Rowland penny
2020-Sep-24 07:43 UTC
[Samba] Can't connect after AuthN: NT_STATUS_ACCESS_DENIED
On 24/09/2020 03:23, Chris Olive via samba wrote:> Been using Samba since the early days and it's always worked terrifically. > Install it from RPM or apt or yum, make a few tweaks to the smb.conf and > I'm off and running without fail. > > So to run into a situation where I'm getting denied has really stumped me. > I dialed up logging to try and get a peek into what's failing and things > start falling apart around NT_STATUS_ACCESS_DENIED and then my connection > gets shut down. I can see Samba authenticating me just fine, mapping my > username to the correct /home directory, the right UID and GID (first line > in attached log)... Everything is going swimmingly and then PLONK. > > I have no idea what it's borking on. SELinux dialed down to permissive. > I've tried swapping tdbsam database for swbpasswd... nothing seems to work. > Even with this logging, I'm still shooting in the dark. > > I'm connecting from a Mac to a Samba server running on a CentOS 8 VM under > VMware Fusion on my Mac. 172.16.112.1 is the VMware gateway, so I'm > wondering about that part of it, but in fiddling with the firewall on the > CentOS 8 VM itself, I can change the behavior enough to see it's getting > through properly. All necessary ports are open (137-139, 445). > > I'm stuck at this point. Makes zero sense to me. I have a very similar set > up in another CentOS 8 box that works flawlessly as every other > installation I've done in 20 years. > > [Snipped lines above that show successful AuthN, forced mapping to "Domain > Users", etc. all correct] > colive-12867 (ipv4:172.16.112.1:56106) connect to service IPC$ initially > as user chris (uid=1000, gid=1000) (pid 98051) > [2020/09/23 19:03:37.024156, 3] > ../../source3/rpc_server/srv_pipe.c:751(api_pipe_bind_req) > api_pipe_bind_req: lsarpc -> lsarpc rpc service > [2020/09/23 19:03:37.024174, 3] > ../../source3/rpc_server/srv_pipe.c:356(check_bind_req) > check_bind_req for lsarpc context_id=0 > [2020/09/23 19:03:37.024184, 3] > ../../source3/rpc_server/srv_pipe.c:399(check_bind_req) > check_bind_req: lsarpc -> lsarpc rpc service > [2020/09/23 19:03:37.024199, 5] > ../../source3/auth/auth.c:547(make_auth3_context_for_ntlm) > Making default auth method list for server role = 'standalone server', > encrypt passwords = yes > [2020/09/23 19:03:37.024208, 5] > ../../source3/auth/auth.c:423(load_auth_module) > load_auth_module: Attempting to find an auth method to match anonymous > [2020/09/23 19:03:37.024214, 5] > ../../source3/auth/auth.c:448(load_auth_module) > load_auth_module: auth method anonymous has a valid init > [2020/09/23 19:03:37.024217, 5] > ../../source3/auth/auth.c:423(load_auth_module) > load_auth_module: Attempting to find an auth method to match > sam_ignoredomain > [2020/09/23 19:03:37.024220, 5] > ../../source3/auth/auth.c:448(load_auth_module) > load_auth_module: auth method sam_ignoredomain has a valid init > [2020/09/23 19:03:37.024760, 3] > ../../source3/rpc_server/srv_pipe.c:1531(api_rpcTNP) > api_rpcTNP: rpc command: LSA_GETUSERNAME > [2020/09/23 19:03:37.025554, 3] > ../../source3/rpc_server/srv_pipe.c:1531(api_rpcTNP) > api_rpcTNP: rpc command: LSA_OPENPOLICY2 > [2020/09/23 19:03:37.026233, 3] > ../../source3/rpc_server/srv_pipe.c:1531(api_rpcTNP) > api_rpcTNP: rpc command: LSA_LOOKUPNAMES > [2020/09/23 19:03:37.026401, 3] > ../../source3/passdb/lookup_sid.c:1606(get_primary_group_sid) > Forcing Primary Group to 'Domain Users' for chris > [2020/09/23 19:03:37.027169, 3] > ../../source3/rpc_server/srv_pipe.c:1531(api_rpcTNP) > api_rpcTNP: rpc command: LSA_CLOSE > [2020/09/23 19:03:37.028187, 3] > ../../source3/smbd/service.c:1131(close_cnum) > colive-12867 (ipv4:172.16.112.1:56106) closed connection to service IPC$ > [2020/09/23 19:03:37.029241, 3] > ../../source3/smbd/smb2_server.c:3266(smbd_smb2_request_error_ex) > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] > status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:296 > [2020/09/23 19:03:37.029259, 3] > ../../source3/smbd/smb2_server.c:3266(smbd_smb2_request_error_ex) > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[5] > status[NT_STATUS_FILE_CLOSED] || at ../../source3/smbd/smb2_server.c:2633 > [2020/09/23 19:03:37.029266, 3] > ../../source3/smbd/smb2_server.c:3266(smbd_smb2_request_error_ex) > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[9] > status[NT_STATUS_FILE_CLOSED] || at ../../source3/smbd/smb2_server.c:2633 > [2020/09/23 19:03:37.029554, 2] > ../../source3/smbd/service.c:1131(close_cnum) > colive-12867 (ipv4:172.16.112.1:56106) closed connection to service chris > > Chris > -- > Chris Olive | chris at TechnologEase.comI think you need to post your smb.conf file, your log says this: Making default auth method list for server role = 'standalone server' and then goes on to say: Forcing Primary Group to 'Domain Users' for chris The two are a bit mutually exclusive, a standalone server cannot be a member of a domain. Rowland
Chris Olive
2020-Sep-24 19:06 UTC
[Samba] Can't connect after AuthN: NT_STATUS_ACCESS_DENIED
No real "standalone" or domains explicitly specified in the smb.conf file. This is a host with containers on it, but at this level, this is the smb.conf file for the host itself. Ironically when I install SMB in a container and spin it up it works fine. At the machine level it does not. All these issues took place before I tried it in a container, so the log I originally sent was when Samba was installed at the host level and not in a container. Still beats the heck out of me. I've never had any issue with Samba. [global] add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %m$ cups options = raw ## encrypt passwords = yes load printers = yes local master = no log level = 3 passdb:5 auth:5 name resolve order = wins lmhosts bcast netbios name = LXD1 os level = 65 passdb backend = tdbsam ## passdb backend = smbpasswd passwd chat = "*New Password:*" %n\n "*Reenter New Password:*" %n\n "*Password changed.*" passwd program = /usr/bin/passwd %u printcap cache time = 750 printcap name = cups printing = cups server string = LXD Containers unix password sync = yes wins support = Yes workgroup = LXD1 [homes] comment = Home Directories valid users = %S, %D%w%S browseable = Yes read only = No inherit acls = Yes create mask = 0755 directory mask = 0750 On Thu, Sep 24, 2020 at 2:43 AM Rowland penny via samba < samba at lists.samba.org> wrote:> On 24/09/2020 03:23, Chris Olive via samba wrote: > > Been using Samba since the early days and it's always worked > terrifically. > > Install it from RPM or apt or yum, make a few tweaks to the smb.conf and > > I'm off and running without fail. > > > > So to run into a situation where I'm getting denied has really stumped > me. > > I dialed up logging to try and get a peek into what's failing and things > > start falling apart around NT_STATUS_ACCESS_DENIED and then my connection > > gets shut down. I can see Samba authenticating me just fine, mapping my > > username to the correct /home directory, the right UID and GID (first > line > > in attached log)... Everything is going swimmingly and then PLONK. > > > > I have no idea what it's borking on. SELinux dialed down to permissive. > > I've tried swapping tdbsam database for swbpasswd... nothing seems to > work. > > Even with this logging, I'm still shooting in the dark. > > > > I'm connecting from a Mac to a Samba server running on a CentOS 8 VM > under > > VMware Fusion on my Mac. 172.16.112.1 is the VMware gateway, so I'm > > wondering about that part of it, but in fiddling with the firewall on the > > CentOS 8 VM itself, I can change the behavior enough to see it's getting > > through properly. All necessary ports are open (137-139, 445). > > > > I'm stuck at this point. Makes zero sense to me. I have a very similar > set > > up in another CentOS 8 box that works flawlessly as every other > > installation I've done in 20 years. > > > > [Snipped lines above that show successful AuthN, forced mapping to > "Domain > > Users", etc. all correct] > > colive-12867 (ipv4:172.16.112.1:56106) connect to service IPC$ > initially > > as user chris (uid=1000, gid=1000) (pid 98051) > > [2020/09/23 19:03:37.024156, 3] > > ../../source3/rpc_server/srv_pipe.c:751(api_pipe_bind_req) > > api_pipe_bind_req: lsarpc -> lsarpc rpc service > > [2020/09/23 19:03:37.024174, 3] > > ../../source3/rpc_server/srv_pipe.c:356(check_bind_req) > > check_bind_req for lsarpc context_id=0 > > [2020/09/23 19:03:37.024184, 3] > > ../../source3/rpc_server/srv_pipe.c:399(check_bind_req) > > check_bind_req: lsarpc -> lsarpc rpc service > > [2020/09/23 19:03:37.024199, 5] > > ../../source3/auth/auth.c:547(make_auth3_context_for_ntlm) > > Making default auth method list for server role = 'standalone server', > > encrypt passwords = yes > > [2020/09/23 19:03:37.024208, 5] > > ../../source3/auth/auth.c:423(load_auth_module) > > load_auth_module: Attempting to find an auth method to match anonymous > > [2020/09/23 19:03:37.024214, 5] > > ../../source3/auth/auth.c:448(load_auth_module) > > load_auth_module: auth method anonymous has a valid init > > [2020/09/23 19:03:37.024217, 5] > > ../../source3/auth/auth.c:423(load_auth_module) > > load_auth_module: Attempting to find an auth method to match > > sam_ignoredomain > > [2020/09/23 19:03:37.024220, 5] > > ../../source3/auth/auth.c:448(load_auth_module) > > load_auth_module: auth method sam_ignoredomain has a valid init > > [2020/09/23 19:03:37.024760, 3] > > ../../source3/rpc_server/srv_pipe.c:1531(api_rpcTNP) > > api_rpcTNP: rpc command: LSA_GETUSERNAME > > [2020/09/23 19:03:37.025554, 3] > > ../../source3/rpc_server/srv_pipe.c:1531(api_rpcTNP) > > api_rpcTNP: rpc command: LSA_OPENPOLICY2 > > [2020/09/23 19:03:37.026233, 3] > > ../../source3/rpc_server/srv_pipe.c:1531(api_rpcTNP) > > api_rpcTNP: rpc command: LSA_LOOKUPNAMES > > [2020/09/23 19:03:37.026401, 3] > > ../../source3/passdb/lookup_sid.c:1606(get_primary_group_sid) > > Forcing Primary Group to 'Domain Users' for chris > > [2020/09/23 19:03:37.027169, 3] > > ../../source3/rpc_server/srv_pipe.c:1531(api_rpcTNP) > > api_rpcTNP: rpc command: LSA_CLOSE > > [2020/09/23 19:03:37.028187, 3] > > ../../source3/smbd/service.c:1131(close_cnum) > > colive-12867 (ipv4:172.16.112.1:56106) closed connection to service > IPC$ > > [2020/09/23 19:03:37.029241, 3] > > ../../source3/smbd/smb2_server.c:3266(smbd_smb2_request_error_ex) > > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] > > status[NT_STATUS_ACCESS_DENIED] || at > ../../source3/smbd/smb2_create.c:296 > > [2020/09/23 19:03:37.029259, 3] > > ../../source3/smbd/smb2_server.c:3266(smbd_smb2_request_error_ex) > > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[5] > > status[NT_STATUS_FILE_CLOSED] || at ../../source3/smbd/smb2_server.c:2633 > > [2020/09/23 19:03:37.029266, 3] > > ../../source3/smbd/smb2_server.c:3266(smbd_smb2_request_error_ex) > > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[9] > > status[NT_STATUS_FILE_CLOSED] || at ../../source3/smbd/smb2_server.c:2633 > > [2020/09/23 19:03:37.029554, 2] > > ../../source3/smbd/service.c:1131(close_cnum) > > colive-12867 (ipv4:172.16.112.1:56106) closed connection to service > chris > > > > Chris > > -- > > Chris Olive | chris at TechnologEase.com > > I think you need to post your smb.conf file, your log says this: > > Making default auth method list for server role = 'standalone server' > > and then goes on to say: > > Forcing Primary Group to 'Domain Users' for chris > > The two are a bit mutually exclusive, a standalone server cannot be a > member of a domain. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >