Chris Olive
2020-Sep-24 02:23 UTC
[Samba] Can't connect after AuthN: NT_STATUS_ACCESS_DENIED
Been using Samba since the early days and it's always worked terrifically. Install it from RPM or apt or yum, make a few tweaks to the smb.conf and I'm off and running without fail. So to run into a situation where I'm getting denied has really stumped me. I dialed up logging to try and get a peek into what's failing and things start falling apart around NT_STATUS_ACCESS_DENIED and then my connection gets shut down. I can see Samba authenticating me just fine, mapping my username to the correct /home directory, the right UID and GID (first line in attached log)... Everything is going swimmingly and then PLONK. I have no idea what it's borking on. SELinux dialed down to permissive. I've tried swapping tdbsam database for swbpasswd... nothing seems to work. Even with this logging, I'm still shooting in the dark. I'm connecting from a Mac to a Samba server running on a CentOS 8 VM under VMware Fusion on my Mac. 172.16.112.1 is the VMware gateway, so I'm wondering about that part of it, but in fiddling with the firewall on the CentOS 8 VM itself, I can change the behavior enough to see it's getting through properly. All necessary ports are open (137-139, 445). I'm stuck at this point. Makes zero sense to me. I have a very similar set up in another CentOS 8 box that works flawlessly as every other installation I've done in 20 years. [Snipped lines above that show successful AuthN, forced mapping to "Domain Users", etc. all correct] colive-12867 (ipv4:172.16.112.1:56106) connect to service IPC$ initially as user chris (uid=1000, gid=1000) (pid 98051) [2020/09/23 19:03:37.024156, 3] ../../source3/rpc_server/srv_pipe.c:751(api_pipe_bind_req) api_pipe_bind_req: lsarpc -> lsarpc rpc service [2020/09/23 19:03:37.024174, 3] ../../source3/rpc_server/srv_pipe.c:356(check_bind_req) check_bind_req for lsarpc context_id=0 [2020/09/23 19:03:37.024184, 3] ../../source3/rpc_server/srv_pipe.c:399(check_bind_req) check_bind_req: lsarpc -> lsarpc rpc service [2020/09/23 19:03:37.024199, 5] ../../source3/auth/auth.c:547(make_auth3_context_for_ntlm) Making default auth method list for server role = 'standalone server', encrypt passwords = yes [2020/09/23 19:03:37.024208, 5] ../../source3/auth/auth.c:423(load_auth_module) load_auth_module: Attempting to find an auth method to match anonymous [2020/09/23 19:03:37.024214, 5] ../../source3/auth/auth.c:448(load_auth_module) load_auth_module: auth method anonymous has a valid init [2020/09/23 19:03:37.024217, 5] ../../source3/auth/auth.c:423(load_auth_module) load_auth_module: Attempting to find an auth method to match sam_ignoredomain [2020/09/23 19:03:37.024220, 5] ../../source3/auth/auth.c:448(load_auth_module) load_auth_module: auth method sam_ignoredomain has a valid init [2020/09/23 19:03:37.024760, 3] ../../source3/rpc_server/srv_pipe.c:1531(api_rpcTNP) api_rpcTNP: rpc command: LSA_GETUSERNAME [2020/09/23 19:03:37.025554, 3] ../../source3/rpc_server/srv_pipe.c:1531(api_rpcTNP) api_rpcTNP: rpc command: LSA_OPENPOLICY2 [2020/09/23 19:03:37.026233, 3] ../../source3/rpc_server/srv_pipe.c:1531(api_rpcTNP) api_rpcTNP: rpc command: LSA_LOOKUPNAMES [2020/09/23 19:03:37.026401, 3] ../../source3/passdb/lookup_sid.c:1606(get_primary_group_sid) Forcing Primary Group to 'Domain Users' for chris [2020/09/23 19:03:37.027169, 3] ../../source3/rpc_server/srv_pipe.c:1531(api_rpcTNP) api_rpcTNP: rpc command: LSA_CLOSE [2020/09/23 19:03:37.028187, 3] ../../source3/smbd/service.c:1131(close_cnum) colive-12867 (ipv4:172.16.112.1:56106) closed connection to service IPC$ [2020/09/23 19:03:37.029241, 3] ../../source3/smbd/smb2_server.c:3266(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:296 [2020/09/23 19:03:37.029259, 3] ../../source3/smbd/smb2_server.c:3266(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[5] status[NT_STATUS_FILE_CLOSED] || at ../../source3/smbd/smb2_server.c:2633 [2020/09/23 19:03:37.029266, 3] ../../source3/smbd/smb2_server.c:3266(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[9] status[NT_STATUS_FILE_CLOSED] || at ../../source3/smbd/smb2_server.c:2633 [2020/09/23 19:03:37.029554, 2] ../../source3/smbd/service.c:1131(close_cnum) colive-12867 (ipv4:172.16.112.1:56106) closed connection to service chris Chris -- Chris Olive | chris at TechnologEase.com
Rowland penny
2020-Sep-24 07:43 UTC
[Samba] Can't connect after AuthN: NT_STATUS_ACCESS_DENIED
On 24/09/2020 03:23, Chris Olive via samba wrote:> Been using Samba since the early days and it's always worked terrifically. > Install it from RPM or apt or yum, make a few tweaks to the smb.conf and > I'm off and running without fail. > > So to run into a situation where I'm getting denied has really stumped me. > I dialed up logging to try and get a peek into what's failing and things > start falling apart around NT_STATUS_ACCESS_DENIED and then my connection > gets shut down. I can see Samba authenticating me just fine, mapping my > username to the correct /home directory, the right UID and GID (first line > in attached log)... Everything is going swimmingly and then PLONK. > > I have no idea what it's borking on. SELinux dialed down to permissive. > I've tried swapping tdbsam database for swbpasswd... nothing seems to work. > Even with this logging, I'm still shooting in the dark. > > I'm connecting from a Mac to a Samba server running on a CentOS 8 VM under > VMware Fusion on my Mac. 172.16.112.1 is the VMware gateway, so I'm > wondering about that part of it, but in fiddling with the firewall on the > CentOS 8 VM itself, I can change the behavior enough to see it's getting > through properly. All necessary ports are open (137-139, 445). > > I'm stuck at this point. Makes zero sense to me. I have a very similar set > up in another CentOS 8 box that works flawlessly as every other > installation I've done in 20 years. > > [Snipped lines above that show successful AuthN, forced mapping to "Domain > Users", etc. all correct] > colive-12867 (ipv4:172.16.112.1:56106) connect to service IPC$ initially > as user chris (uid=1000, gid=1000) (pid 98051) > [2020/09/23 19:03:37.024156, 3] > ../../source3/rpc_server/srv_pipe.c:751(api_pipe_bind_req) > api_pipe_bind_req: lsarpc -> lsarpc rpc service > [2020/09/23 19:03:37.024174, 3] > ../../source3/rpc_server/srv_pipe.c:356(check_bind_req) > check_bind_req for lsarpc context_id=0 > [2020/09/23 19:03:37.024184, 3] > ../../source3/rpc_server/srv_pipe.c:399(check_bind_req) > check_bind_req: lsarpc -> lsarpc rpc service > [2020/09/23 19:03:37.024199, 5] > ../../source3/auth/auth.c:547(make_auth3_context_for_ntlm) > Making default auth method list for server role = 'standalone server', > encrypt passwords = yes > [2020/09/23 19:03:37.024208, 5] > ../../source3/auth/auth.c:423(load_auth_module) > load_auth_module: Attempting to find an auth method to match anonymous > [2020/09/23 19:03:37.024214, 5] > ../../source3/auth/auth.c:448(load_auth_module) > load_auth_module: auth method anonymous has a valid init > [2020/09/23 19:03:37.024217, 5] > ../../source3/auth/auth.c:423(load_auth_module) > load_auth_module: Attempting to find an auth method to match > sam_ignoredomain > [2020/09/23 19:03:37.024220, 5] > ../../source3/auth/auth.c:448(load_auth_module) > load_auth_module: auth method sam_ignoredomain has a valid init > [2020/09/23 19:03:37.024760, 3] > ../../source3/rpc_server/srv_pipe.c:1531(api_rpcTNP) > api_rpcTNP: rpc command: LSA_GETUSERNAME > [2020/09/23 19:03:37.025554, 3] > ../../source3/rpc_server/srv_pipe.c:1531(api_rpcTNP) > api_rpcTNP: rpc command: LSA_OPENPOLICY2 > [2020/09/23 19:03:37.026233, 3] > ../../source3/rpc_server/srv_pipe.c:1531(api_rpcTNP) > api_rpcTNP: rpc command: LSA_LOOKUPNAMES > [2020/09/23 19:03:37.026401, 3] > ../../source3/passdb/lookup_sid.c:1606(get_primary_group_sid) > Forcing Primary Group to 'Domain Users' for chris > [2020/09/23 19:03:37.027169, 3] > ../../source3/rpc_server/srv_pipe.c:1531(api_rpcTNP) > api_rpcTNP: rpc command: LSA_CLOSE > [2020/09/23 19:03:37.028187, 3] > ../../source3/smbd/service.c:1131(close_cnum) > colive-12867 (ipv4:172.16.112.1:56106) closed connection to service IPC$ > [2020/09/23 19:03:37.029241, 3] > ../../source3/smbd/smb2_server.c:3266(smbd_smb2_request_error_ex) > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] > status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:296 > [2020/09/23 19:03:37.029259, 3] > ../../source3/smbd/smb2_server.c:3266(smbd_smb2_request_error_ex) > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[5] > status[NT_STATUS_FILE_CLOSED] || at ../../source3/smbd/smb2_server.c:2633 > [2020/09/23 19:03:37.029266, 3] > ../../source3/smbd/smb2_server.c:3266(smbd_smb2_request_error_ex) > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[9] > status[NT_STATUS_FILE_CLOSED] || at ../../source3/smbd/smb2_server.c:2633 > [2020/09/23 19:03:37.029554, 2] > ../../source3/smbd/service.c:1131(close_cnum) > colive-12867 (ipv4:172.16.112.1:56106) closed connection to service chris > > Chris > -- > Chris Olive | chris at TechnologEase.comI think you need to post your smb.conf file, your log says this: Making default auth method list for server role = 'standalone server' and then goes on to say: Forcing Primary Group to 'Domain Users' for chris The two are a bit mutually exclusive, a standalone server cannot be a member of a domain. Rowland
Chris Olive
2020-Sep-24 19:06 UTC
[Samba] Can't connect after AuthN: NT_STATUS_ACCESS_DENIED
No real "standalone" or domains explicitly specified in the smb.conf
file.
This is a host with containers on it, but at this level, this is the
smb.conf file for the host itself. Ironically when I install SMB in a
container and spin it up it works fine. At the machine level it does not.
All these issues took place before I tried it in a container, so the log I
originally sent was when Samba was installed at the host level and not in a
container. Still beats the heck out of me. I've never had any issue with
Samba.
[global]
add machine script = /usr/sbin/useradd -c Machine -d
/var/lib/nobody -s /bin/false %m$
cups options = raw
## encrypt passwords = yes
load printers = yes
local master = no
log level = 3 passdb:5 auth:5
name resolve order = wins lmhosts bcast
netbios name = LXD1
os level = 65
passdb backend = tdbsam
## passdb backend = smbpasswd
passwd chat = "*New Password:*" %n\n "*Reenter New
Password:*" %n\n
"*Password changed.*"
passwd program = /usr/bin/passwd %u
printcap cache time = 750
printcap name = cups
printing = cups
server string = LXD Containers
unix password sync = yes
wins support = Yes
workgroup = LXD1
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = Yes
read only = No
inherit acls = Yes
create mask = 0755
directory mask = 0750
On Thu, Sep 24, 2020 at 2:43 AM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 24/09/2020 03:23, Chris Olive via samba wrote:
> > Been using Samba since the early days and it's always worked
> terrifically.
> > Install it from RPM or apt or yum, make a few tweaks to the smb.conf
and
> > I'm off and running without fail.
> >
> > So to run into a situation where I'm getting denied has really
stumped
> me.
> > I dialed up logging to try and get a peek into what's failing and
things
> > start falling apart around NT_STATUS_ACCESS_DENIED and then my
connection
> > gets shut down. I can see Samba authenticating me just fine, mapping
my
> > username to the correct /home directory, the right UID and GID (first
> line
> > in attached log)... Everything is going swimmingly and then PLONK.
> >
> > I have no idea what it's borking on. SELinux dialed down to
permissive.
> > I've tried swapping tdbsam database for swbpasswd... nothing seems
to
> work.
> > Even with this logging, I'm still shooting in the dark.
> >
> > I'm connecting from a Mac to a Samba server running on a CentOS 8
VM
> under
> > VMware Fusion on my Mac. 172.16.112.1 is the VMware gateway, so
I'm
> > wondering about that part of it, but in fiddling with the firewall on
the
> > CentOS 8 VM itself, I can change the behavior enough to see it's
getting
> > through properly. All necessary ports are open (137-139, 445).
> >
> > I'm stuck at this point. Makes zero sense to me. I have a very
similar
> set
> > up in another CentOS 8 box that works flawlessly as every other
> > installation I've done in 20 years.
> >
> > [Snipped lines above that show successful AuthN, forced mapping to
> "Domain
> > Users", etc. all correct]
> > colive-12867 (ipv4:172.16.112.1:56106) connect to service IPC$
> initially
> > as user chris (uid=1000, gid=1000) (pid 98051)
> > [2020/09/23 19:03:37.024156, 3]
> > ../../source3/rpc_server/srv_pipe.c:751(api_pipe_bind_req)
> > api_pipe_bind_req: lsarpc -> lsarpc rpc service
> > [2020/09/23 19:03:37.024174, 3]
> > ../../source3/rpc_server/srv_pipe.c:356(check_bind_req)
> > check_bind_req for lsarpc context_id=0
> > [2020/09/23 19:03:37.024184, 3]
> > ../../source3/rpc_server/srv_pipe.c:399(check_bind_req)
> > check_bind_req: lsarpc -> lsarpc rpc service
> > [2020/09/23 19:03:37.024199, 5]
> > ../../source3/auth/auth.c:547(make_auth3_context_for_ntlm)
> > Making default auth method list for server role = 'standalone
server',
> > encrypt passwords = yes
> > [2020/09/23 19:03:37.024208, 5]
> > ../../source3/auth/auth.c:423(load_auth_module)
> > load_auth_module: Attempting to find an auth method to match
anonymous
> > [2020/09/23 19:03:37.024214, 5]
> > ../../source3/auth/auth.c:448(load_auth_module)
> > load_auth_module: auth method anonymous has a valid init
> > [2020/09/23 19:03:37.024217, 5]
> > ../../source3/auth/auth.c:423(load_auth_module)
> > load_auth_module: Attempting to find an auth method to match
> > sam_ignoredomain
> > [2020/09/23 19:03:37.024220, 5]
> > ../../source3/auth/auth.c:448(load_auth_module)
> > load_auth_module: auth method sam_ignoredomain has a valid init
> > [2020/09/23 19:03:37.024760, 3]
> > ../../source3/rpc_server/srv_pipe.c:1531(api_rpcTNP)
> > api_rpcTNP: rpc command: LSA_GETUSERNAME
> > [2020/09/23 19:03:37.025554, 3]
> > ../../source3/rpc_server/srv_pipe.c:1531(api_rpcTNP)
> > api_rpcTNP: rpc command: LSA_OPENPOLICY2
> > [2020/09/23 19:03:37.026233, 3]
> > ../../source3/rpc_server/srv_pipe.c:1531(api_rpcTNP)
> > api_rpcTNP: rpc command: LSA_LOOKUPNAMES
> > [2020/09/23 19:03:37.026401, 3]
> > ../../source3/passdb/lookup_sid.c:1606(get_primary_group_sid)
> > Forcing Primary Group to 'Domain Users' for chris
> > [2020/09/23 19:03:37.027169, 3]
> > ../../source3/rpc_server/srv_pipe.c:1531(api_rpcTNP)
> > api_rpcTNP: rpc command: LSA_CLOSE
> > [2020/09/23 19:03:37.028187, 3]
> > ../../source3/smbd/service.c:1131(close_cnum)
> > colive-12867 (ipv4:172.16.112.1:56106) closed connection to service
> IPC$
> > [2020/09/23 19:03:37.029241, 3]
> > ../../source3/smbd/smb2_server.c:3266(smbd_smb2_request_error_ex)
> > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> > status[NT_STATUS_ACCESS_DENIED] || at
> ../../source3/smbd/smb2_create.c:296
> > [2020/09/23 19:03:37.029259, 3]
> > ../../source3/smbd/smb2_server.c:3266(smbd_smb2_request_error_ex)
> > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[5]
> > status[NT_STATUS_FILE_CLOSED] || at
../../source3/smbd/smb2_server.c:2633
> > [2020/09/23 19:03:37.029266, 3]
> > ../../source3/smbd/smb2_server.c:3266(smbd_smb2_request_error_ex)
> > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[9]
> > status[NT_STATUS_FILE_CLOSED] || at
../../source3/smbd/smb2_server.c:2633
> > [2020/09/23 19:03:37.029554, 2]
> > ../../source3/smbd/service.c:1131(close_cnum)
> > colive-12867 (ipv4:172.16.112.1:56106) closed connection to service
> chris
> >
> > Chris
> > --
> > Chris Olive | chris at TechnologEase.com
>
> I think you need to post your smb.conf file, your log says this:
>
> Making default auth method list for server role = 'standalone
server'
>
> and then goes on to say:
>
> Forcing Primary Group to 'Domain Users' for chris
>
> The two are a bit mutually exclusive, a standalone server cannot be a
> member of a domain.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>