Tomasz Majewski
2025-Jan-10 09:44 UTC
[Samba] Problem with access to shares on 4.9.5 after upgrade DC to 4.17.12
Hi, I have domain controled by samba. I have updated my two DC's from 4.9.5 -> 4.13.13 -> 4.17.12. After that my win10 clients dont have access to shares served by two file servers joned to the domain. There were no problems before. Clients are joined to the domain too. Users can login on machines without problem. Only shares from file servers are unavaible. File servers have samba 4.9.5 and are not updated yet! Could this be the cause? Strange, but when I updated some of my win10 clients to 22H2, updated machines and others win10 client without updates restored access to shares. Maybe updates or time is a cure? ############## My DC1 config: [global] netbios name = DC1 realm = MYDOMAIN.NET workgroup = MYDOMAIN dns forwarder = 10.10.10.10 server role = active directory domain controller idmap_ldb:use rfc2307 = yes interfaces = lo ens161 bind interfaces only = yes log level = 1 [netlogon] path = /var/lib/samba/sysvol/mydomain.net/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No ############## My DC2 config: [global] netbios name = DC2 realm = MYDOMAIN.NET workgroup = MYDOMAIN dns forwarder = 10.10.10.10 server role = active directory domain controller idmap_ldb:use rfc2307 = yes [netlogon] path = /var/lib/samba/sysvol/mydomain.net/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No ############## My file server (SMB2) config: [global] security = ADS workgroup = MYDOMAIN realm = MYDOMAIN.NET username map = /etc/samba/user.map log file = /var/log/samba/%m.log log level = 1 idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config MYDOMAIN: backend = ad idmap config MYDOMAIN: schema_mode = rfc2307 idmap config MYDOMAIN: range = 10000-999999 winbind use default domain = yes winbind nss info = template template shell = /bin/bash template homedir = /mnt/samba/MYDOMAIN/%U winbind enum users = yes winbind enum groups = yes vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes wins support = yes local master = yes preferred master = yes domain master = yes [users] path = /mnt/samba/MYDOMAIN read only = no veto oplock files = /*.lock/*.tmp/*.TMP/ [tmp] path = /mnt/samba/tmp read only = no [public] path = /mnt/samba/public read only = no [apps] path = /mnt/samba/apps read only = no [common] path = /mnt/samba/common read only = no ############## Logs from one of my machines, which can't access to shares after login: [2025/01/10 08:12:44.367442, 2] ../source3/lib/interface.c:345(add_interface) added interface ens192 ip=192.168.223.11 bcast=192.168.223.255 netmask=255.255.255.0 [2025/01/10 08:13:39.377068, 3] ../source3/smbd/oplock.c:1389(init_oplocks) init_oplocks: initializing messages. [2025/01/10 08:13:39.377222, 3] ../source3/smbd/process.c:1956(process_smb) Transaction 0 of length 73 (0 toread) [2025/01/10 08:13:39.377306, 3] ../source3/smbd/process.c:1543(switch_message) switch message SMBnegprot (pid 8685) conn 0x0 [2025/01/10 08:13:39.378245, 3] ../source3/smbd/negprot.c:636(reply_negprot) Requested protocol [NT LM 0.12] [2025/01/10 08:13:39.378299, 3] ../source3/smbd/negprot.c:636(reply_negprot) Requested protocol [SMB 2.002] [2025/01/10 08:13:39.378391, 3] ../source3/smbd/negprot.c:636(reply_negprot) Requested protocol [SMB 2.???] [2025/01/10 08:13:39.378527, 3] ../source3/smbd/smb2_negprot.c:294(smbd_smb2_request_process_negprot) Selected protocol SMB2_FF [2025/01/10 08:13:39.379225, 3] ../source3/smbd/negprot.c:771(reply_negprot) Selected protocol SMB 2.??? [2025/01/10 08:13:39.379614, 3] ../source3/smbd/smb2_negprot.c:294(smbd_smb2_request_process_negprot) Selected protocol SMB3_11 [2025/01/10 08:13:39.389582, 3] ../auth/kerberos/kerberos_pac.c:413(kerberos_decode_pac) Found account name from PAC: OPS2B$ [] [2025/01/10 08:13:39.389656, 3] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info) Kerberos ticket principal name is [OPS2B$@MYDOMAIN.NET] [2025/01/10 08:13:39.390061, 3] ../source3/param/loadparm.c:3872(lp_load_ex) lp_load_ex: refreshing parameters [2025/01/10 08:13:39.390173, 3] ../source3/param/loadparm.c:548(init_globals) Initialising global parameters [2025/01/10 08:13:39.390291, 3] ../source3/param/loadparm.c:2786(lp_do_section) Processing section "[global]" [2025/01/10 08:13:39.390529, 2] ../source3/param/loadparm.c:2803(lp_do_section) Processing section "[users]" [2025/01/10 08:13:39.390608, 2] ../source3/param/loadparm.c:2803(lp_do_section) Processing section "[tmp]" [2025/01/10 08:13:39.390661, 2] ../source3/param/loadparm.c:2803(lp_do_section) Processing section "[public]" [2025/01/10 08:13:39.390733, 2] ../source3/param/loadparm.c:2803(lp_do_section) Processing section "[apps]" [2025/01/10 08:13:39.390821, 2] ../source3/param/loadparm.c:2803(lp_do_section) Processing section "[common]" [2025/01/10 08:13:39.390918, 3] ../source3/param/loadparm.c:1621(lp_add_ipc) adding IPC service [2025/01/10 08:13:39.392271, 3] ../source3/smbd/password.c:133(register_homes_share) Adding homes service for user 'MYDOMAIN\ops2b$' using home directory: '/mnt/samba/MYDOMAIN/ops2b_' [2025/01/10 08:13:39.393155, 3] ../lib/util/access.c:365(allow_access) Allowed connection from 192.168.223.239 (192.168.223.239) [2025/01/10 08:13:39.393265, 3] ../source3/smbd/service.c:603(make_connection_snum) make_connection_snum: Connect path is '/tmp' for service [IPC$] [2025/01/10 08:13:39.393357, 3] ../source3/smbd/vfs.c:113(vfs_init_default) Initialising default vfs hooks [2025/01/10 08:13:39.393433, 3] ../source3/smbd/vfs.c:139(vfs_init_custom) Initialising custom vfs hooks from [/[Default VFS]/] [2025/01/10 08:13:39.393480, 3] ../source3/smbd/vfs.c:139(vfs_init_custom) Initialising custom vfs hooks from [acl_xattr] [2025/01/10 08:13:39.395430, 3] ../lib/util/modules.c:167(load_module_absolute_path) load_module_absolute_path: Module '/usr/lib/x86_64-linux-gnu/samba/vfs/acl_xattr.so' loaded [2025/01/10 08:13:39.395523, 2] ../source3/modules/vfs_acl_xattr.c:234(connect_acl_xattr) connect_acl_xattr: setting 'inherit acls = true' 'dos filemode true' and 'force unknown acl user = true' for service IPC$ [2025/01/10 08:13:39.395663, 3] ../source3/smbd/service.c:849(make_connection_snum) 192.168.223.239 (ipv4:192.168.223.239:51373) connect to service IPC$ initially as user MYDOMAIN\ops2b$ (uid=20045, gid=10006) (pid 8685) [2025/01/10 08:13:39.396450, 3] ../source3/smbd/msdfs.c:1063(get_referred_path) get_referred_path: |users| in dfs path \smb2\users is not a dfs root. [2025/01/10 08:13:39.396502, 3] ../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NOT_FOUND] || at ../source3/smbd/smb2_ioctl.c:312 [2025/01/10 08:13:39.472453, 3] ../auth/kerberos/kerberos_pac.c:413(kerberos_decode_pac) Found account name from PAC: myuser [My User] [2025/01/10 08:13:39.472521, 3] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info) Kerberos ticket principal name is [myuser at MYDOMAIN.NET] [2025/01/10 08:13:39.472824, 3] ../source3/param/loadparm.c:3872(lp_load_ex) lp_load_ex: refreshing parameters [2025/01/10 08:13:39.472904, 3] ../source3/param/loadparm.c:548(init_globals) Initialising global parameters [2025/01/10 08:13:39.472990, 3] ../source3/param/loadparm.c:2786(lp_do_section) Processing section "[global]" [2025/01/10 08:13:39.473174, 2] ../source3/param/loadparm.c:2803(lp_do_section) Processing section "[users]" [2025/01/10 08:13:39.473227, 2] ../source3/param/loadparm.c:2803(lp_do_section) Processing section "[tmp]" [2025/01/10 08:13:39.473290, 2] ../source3/param/loadparm.c:2803(lp_do_section) Processing section "[public]" [2025/01/10 08:13:39.473334, 2] ../source3/param/loadparm.c:2803(lp_do_section) Processing section "[apps]" [2025/01/10 08:13:39.473394, 2] ../source3/param/loadparm.c:2803(lp_do_section) Processing section "[common]" [2025/01/10 08:13:39.473458, 3] ../source3/param/loadparm.c:1621(lp_add_ipc) adding IPC service [2025/01/10 08:13:39.474652, 3] ../source3/smbd/password.c:133(register_homes_share) Adding homes service for user 'MYDOMAIN\myuser' using home directory: '/mnt/samba/MYDOMAIN/myuser' [2025/01/10 08:13:39.475429, 3] ../lib/util/access.c:365(allow_access) Allowed connection from 192.168.223.239 (192.168.223.239) [2025/01/10 08:13:39.475526, 3] ../source3/smbd/service.c:603(make_connection_snum) make_connection_snum: Connect path is '/mnt/samba/MYDOMAIN' for service [users] [2025/01/10 08:13:39.475585, 3] ../source3/smbd/vfs.c:113(vfs_init_default) Initialising default vfs hooks [2025/01/10 08:13:39.475625, 3] ../source3/smbd/vfs.c:139(vfs_init_custom) Initialising custom vfs hooks from [/[Default VFS]/] [2025/01/10 08:13:39.475670, 3] ../source3/smbd/vfs.c:139(vfs_init_custom) Initialising custom vfs hooks from [acl_xattr] [2025/01/10 08:13:39.475714, 2] ../source3/modules/vfs_acl_xattr.c:234(connect_acl_xattr) connect_acl_xattr: setting 'inherit acls = true' 'dos filemode true' and 'force unknown acl user = true' for service users [2025/01/10 08:13:39.475834, 2] ../source3/smbd/service.c:849(make_connection_snum) 192.168.223.239 (ipv4:192.168.223.239:51373) connect to service users initially as user MYDOMAIN\myuser (uid=10116, gid=10001) (pid 8685) [2025/01/10 08:13:39.477054, 3] ../source3/smbd/filename.c:1425(get_real_filename_full_scan) scan dir didn't open dir [OPS] [2025/01/10 08:13:39.477114, 3] ../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_create.c:296 [2025/01/10 08:13:39.480321, 3] ../source3/smbd/filename.c:1425(get_real_filename_full_scan) scan dir didn't open dir [OPS] [...] [2025/01/10 08:13:39.916912, 3] ../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_create.c:296 [2025/01/10 08:13:39.916936, 3] ../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[5] status[NT_STATUS_FILE_CLOSED] || at ../source3/smbd/smb2_server.c:2599 [2025/01/10 08:13:39.917715, 3] ../lib/util/access.c:365(allow_access) Allowed connection from 192.168.223.239 (192.168.223.239) [2025/01/10 08:13:39.917776, 3] ../source3/smbd/service.c:603(make_connection_snum) make_connection_snum: Connect path is '/tmp' for service [IPC$] [2025/01/10 08:13:39.917798, 3] ../source3/smbd/vfs.c:113(vfs_init_default) Initialising default vfs hooks [2025/01/10 08:13:39.917806, 3] ../source3/smbd/vfs.c:139(vfs_init_custom) Initialising custom vfs hooks from [/[Default VFS]/] [2025/01/10 08:13:39.917813, 3] ../source3/smbd/vfs.c:139(vfs_init_custom) Initialising custom vfs hooks from [acl_xattr] [2025/01/10 08:13:39.917823, 2] ../source3/modules/vfs_acl_xattr.c:234(connect_acl_xattr) connect_acl_xattr: setting 'inherit acls = true' 'dos filemode true' and 'force unknown acl user = true' for service IPC$ [2025/01/10 08:13:39.917895, 3] ../source3/smbd/service.c:849(make_connection_snum) 192.168.223.239 (ipv4:192.168.223.239:51373) connect to service IPC$ initially as user MYDOMAIN\myuser (uid=10116, gid=10001) (pid 8685) [2025/01/10 08:13:39.921999, 3] ../source3/smbd/msdfs.c:1063(get_referred_path) get_referred_path: |public| in dfs path \SMB2\public is not a dfs root. [2025/01/10 08:13:39.922017, 3] ../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NOT_FOUND] || at ../source3/smbd/smb2_ioctl.c:312 [2025/01/10 08:13:39.937889, 3] ../lib/util/access.c:365(allow_access) Allowed connection from 192.168.223.239 (192.168.223.239) [2025/01/10 08:13:39.937924, 3] ../source3/smbd/service.c:603(make_connection_snum) make_connection_snum: Connect path is '/mnt/samba/public' for service [public] [2025/01/10 08:13:39.937943, 3] ../source3/smbd/vfs.c:113(vfs_init_default) Initialising default vfs hooks [2025/01/10 08:13:39.937951, 3] ../source3/smbd/vfs.c:139(vfs_init_custom) Initialising custom vfs hooks from [/[Default VFS]/] [2025/01/10 08:13:39.937962, 3] ../source3/smbd/vfs.c:139(vfs_init_custom) Initialising custom vfs hooks from [acl_xattr] [2025/01/10 08:13:39.937971, 2] ../source3/modules/vfs_acl_xattr.c:234(connect_acl_xattr) connect_acl_xattr: setting 'inherit acls = true' 'dos filemode true' and 'force unknown acl user = true' for service public [2025/01/10 08:13:39.938036, 2] ../source3/smbd/service.c:849(make_connection_snum) 192.168.223.239 (ipv4:192.168.223.239:51373) connect to service public initially as user MYDOMAIN\myuser (uid=10116, gid=10001) (pid 8685) [2025/01/10 08:13:39.942636, 3] ../source3/smbd/msdfs.c:1063(get_referred_path) get_referred_path: |apps| in dfs path \SMB2\apps is not a dfs root. [2025/01/10 08:13:39.942657, 3] ../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NOT_FOUND] || at ../source3/smbd/smb2_ioctl.c:312 [2025/01/10 08:13:39.952389, 3] ../lib/util/access.c:365(allow_access) Allowed connection from 192.168.223.239 (192.168.223.239) [2025/01/10 08:13:39.952424, 3] ../source3/smbd/service.c:603(make_connection_snum) make_connection_snum: Connect path is '/mnt/samba/apps' for service [apps] [2025/01/10 08:13:39.952449, 3] ../source3/smbd/vfs.c:113(vfs_init_default) Initialising default vfs hooks [2025/01/10 08:13:39.952458, 3] ../source3/smbd/vfs.c:139(vfs_init_custom) Initialising custom vfs hooks from [/[Default VFS]/] [2025/01/10 08:13:39.952465, 3] ../source3/smbd/vfs.c:139(vfs_init_custom) Initialising custom vfs hooks from [acl_xattr] [2025/01/10 08:13:39.952476, 2] ../source3/modules/vfs_acl_xattr.c:234(connect_acl_xattr) connect_acl_xattr: setting 'inherit acls = true' 'dos filemode true' and 'force unknown acl user = true' for service apps [2025/01/10 08:13:39.952543, 2] ../source3/smbd/service.c:849(make_connection_snum) 192.168.223.239 (ipv4:192.168.223.239:51373) connect to service apps initially as user MYDOMAIN\myuser (uid=10116, gid=10001) (pid 8685) [2025/01/10 08:13:39.960794, 3] ../source3/smbd/service.c:156(chdir_current_service) chdir (/mnt/samba/apps) failed, reason: Brak dost?pu [2025/01/10 08:13:39.960851, 0] ../source3/smbd/uid.c:453(change_to_user_internal) change_to_user_internal: chdir_current_service() failed! [2025/01/10 08:13:39.960890, 3] ../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_server.c:2522 [2025/01/10 08:13:39.960905, 3] ../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[5] status[NT_STATUS_NETWORK_NAME_DELETED] || at ../source3/smbd/smb2_server.c:2522 [2025/01/10 08:13:39.961440, 3] ../lib/util/access.c:365(allow_access) Allowed connection from 192.168.223.239 (192.168.223.239) [2025/01/10 08:13:39.961486, 3] ../source3/smbd/service.c:603(make_connection_snum) make_connection_snum: Connect path is '/mnt/samba/apps' for service [apps] [2025/01/10 08:13:39.961506, 3] ../source3/smbd/vfs.c:113(vfs_init_default) Initialising default vfs hooks [2025/01/10 08:13:39.961513, 3] ../source3/smbd/vfs.c:139(vfs_init_custom) Initialising custom vfs hooks from [/[Default VFS]/] [2025/01/10 08:13:39.961520, 3] ../source3/smbd/vfs.c:139(vfs_init_custom) Initialising custom vfs hooks from [acl_xattr] [2025/01/10 08:13:39.961528, 2] ../source3/modules/vfs_acl_xattr.c:234(connect_acl_xattr) connect_acl_xattr: setting 'inherit acls = true' 'dos filemode true' and 'force unknown acl user = true' for service apps [2025/01/10 08:13:39.961602, 2] ../source3/smbd/service.c:849(make_connection_snum) 192.168.223.239 (ipv4:192.168.223.239:51373) connect to service apps initially as user MYDOMAIN\myuser (uid=10116, gid=10001) (pid 8685) [2025/01/10 08:13:39.962052, 3] ../source3/smbd/service.c:156(chdir_current_service) chdir (/mnt/samba/apps) failed, reason: Brak dost?pu [2025/01/10 08:13:39.962069, 0] ../source3/smbd/uid.c:453(change_to_user_internal) change_to_user_internal: chdir_current_service() failed! [2025/01/10 08:13:39.962090, 3] ../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_server.c:2522 [2025/01/10 08:13:39.966997, 3] ../source3/smbd/msdfs.c:1063(get_referred_path) get_referred_path: |tmp| in dfs path \SMB2\tmp is not a dfs root. [2025/01/10 08:13:39.967017, 3] ../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NOT_FOUND] || at ../source3/smbd/smb2_ioctl.c:312 [2025/01/10 08:13:39.995888, 3] ../lib/util/access.c:365(allow_access) Allowed connection from 192.168.223.239 (192.168.223.239) [2025/01/10 08:13:39.995937, 3] ../source3/smbd/service.c:603(make_connection_snum) make_connection_snum: Connect path is '/mnt/samba/tmp' for service [tmp] [...]
Rowland Penny
2025-Jan-10 10:26 UTC
[Samba] Problem with access to shares on 4.9.5 after upgrade DC to 4.17.12
On Fri, 10 Jan 2025 10:44:28 +0100 Tomasz Majewski via samba <samba at lists.samba.org> wrote:> Hi, > I have domain controled by samba. > > I have updated my two DC's from 4.9.5 -> 4.13.13 -> 4.17.12. After > that my win10 clients dont have access to shares served by two file > servers joned to the domain. There were no problems before. > > Clients are joined to the domain too. Users can login on machines > without problem. Only shares from file servers are unavaible. > > File servers have samba 4.9.5 and are not updated yet! Could this be > the cause? >Yes, probably, SMBv1 was turn off by default at 4.11.0 , so this, along with other changes that have happened since, could be your problem. Please upgrade the fileservers. If you still have problems after the upgrade, then these can be looked at, if you have a problem with 4.9.5 , you have no chance of getting it fixed, that version is EOL. Rowland