Web lists-archives.com

Re: [Samba] unexplained 'access denied' for windows workstations




Hi,

Even though the user had already rebooted this morning, another reboot seems to have solved this issue.

MJ

On 31-1-2017 10:25, mj via samba wrote:
Hi,

We are running a samba fileserver, access controlled using posix acl
(right 770, with users/groups on the filesystem level.

Therefore samba shares look like this:

[share]
path = /srv/academic
read only = no
writable = yes
create mask = 0770
directory mask = 0770

Now certain users complain that they cannot access certain folders, but
looking at the folders from the linux fileystem, their ownership is
identical. (let's say username:"domain users")

If on the fileserver I su to a problem user ('su username') and I check
group membership ('id') everything looks as expected, plus I CAN access
the folders.

So it seems it's samba that denies access, and there is no posix acl
issue. Looking at the samba logs, while the users gets an access denied,
I do not immediately see anything out of the ordinary:

[2017/01/31 10:08:32.322315,  3] ../source3/smbd/dosmode.c:196(unix_mode)
  unix_mode(digicam pictures/events/PHD Defences) returning 0770
[2017/01/31 10:08:32.322337,  3] ../source3/smbd/dosmode.c:196(unix_mode)
  unix_mode(digicam pictures/events/PHD Defences) returning 0760
[2017/01/31 10:08:32.322387,  5]
../libcli/smb/smb2_signing.c:92(smb2_signing_sign_pdu)
  signed SMB2 message
[2017/01/31 10:08:32.322903,  4]
../source3/smbd/uid.c:384(change_to_user)
  Skipping user change - already user
[2017/01/31 10:08:32.322941,  5]
../lib/dbwrap/dbwrap.c:178(dbwrap_check_lock_order)
  check lock order 1 for /var/cache/samba/locking.tdb
[2017/01/31 10:08:32.322990,  5]
../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor)
  release lock order 1 for /var/cache/samba/locking.tdb
[2017/01/31 10:08:32.323013,  5]
../lib/dbwrap/dbwrap.c:178(dbwrap_check_lock_order)
  check lock order 1 for /var/cache/samba/smbXsrv_open_global.tdb
[2017/01/31 10:08:32.323042,  5]
../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor)
  release lock order 1 for /var/cache/samba/smbXsrv_open_global.tdb
[2017/01/31 10:08:32.323063,  5] ../source3/smbd/files.c:555(file_free)
  freed files structure 3826762416 (5 used)
[2017/01/31 10:08:32.323092,  5]
../libcli/smb/smb2_signing.c:92(smb2_signing_sign_pdu)
  signed SMB2 message
[2017/01/31 10:08:43.323568,  4]
../source3/smbd/sec_ctx.c:316(set_sec_ctx)
  setting sec ctx (5227, 513) - sec_ctx_stack_ndx = 0
[2017/01/31 10:08:43.323612,  5]
../libcli/security/security_token.c:63(security_token_debug)
  Security token SIDs (45):
    SID[  0]: S-1-22-1-5227
    SID[  1]: S-1-22-2-513
    SID[  2]: S-1-5-21-12345678-123456789-868425949-35723
    SID[  3]: S-1-5-32-551
    SID[  4]: S-1-5-21-12345678-123456789-868425949-54195
    SID[  5]: S-1-22-2-5923
    SID[  6]: S-1-22-2-512
    SID[  7]: S-1-22-2-1074
    SID[  8]: S-1-5-21-12345678-123456789-868425949-1427
    SID[  9]: S-1-5-21-12345678-123456789-868425949-35793
    SID[ 10]: S-1-22-2-17376
    SID[ 11]: S-1-5-21-12345678-123456789-868425949-1066
    SID[ 12]: S-1-5-21-12345678-123456789-868425949-1074
    SID[ 13]: S-1-5-21-12345678-123456789-868425949-78605
    SID[ 14]: S-1-5-21-12345678-123456789-868425949-35751
    SID[ 15]: S-1-5-21-12345678-123456789-868425949-35755
    SID[ 16]: S-1-5-21-12345678-123456789-868425949-35801
    SID[ 17]: S-1-5-21-12345678-123456789-868425949-35733
    SID[ 18]: S-1-22-2-17372
    SID[ 19]: S-1-5-21-12345678-123456789-868425949-119399
    SID[ 20]: S-1-22-2-10003
    SID[ 21]: S-1-5-21-12345678-123456789-868425949-35771
    SID[ 22]: S-1-5-21-12345678-123456789-868425949-133266
    SID[ 23]: S-1-5-21-12345678-123456789-868425949-132320
    SID[ 24]: S-1-5-21-12345678-123456789-868425949-132355
    SID[ 25]: S-1-22-2-17361
    SID[ 26]: S-1-22-2-551
    SID[ 27]: S-1-22-2-26597
    SID[ 28]: S-1-22-2-1047
    SID[ 29]: S-1-22-2-17396
    SID[ 30]: S-1-22-2-1002
    SID[ 31]: S-1-22-2-1010
    SID[ 32]: S-1-22-2-38802
    SID[ 33]: S-1-22-2-17375
    SID[ 34]: S-1-22-2-17377
    SID[ 35]: S-1-22-2-17400
    SID[ 36]: S-1-22-2-17366
    SID[ 37]: S-1-22-2-59199
    SID[ 38]: S-1-22-2-17385
    SID[ 39]: S-1-22-2-10007
    SID[ 40]: S-1-22-2-10008
    SID[ 41]: S-1-22-2-10014
    SID[ 42]: S-1-1-0
    SID[ 43]: S-1-5-2
    SID[ 44]: S-1-5-11
   Privileges (0x               0):
   Rights (0x               0):
[2017/01/31 10:08:43.323953,  5]
../source3/auth/token_util.c:639(debug_unix_user_token)
  UNIX token of user 5227
  Primary group is 513 and contains 24 supplementary groups
  Group[  0]: 513
  Group[  1]: 17361
  Group[  2]: 551
  Group[  3]: 26597
  Group[  4]: 5923
  Group[  5]: 512
  Group[  6]: 1074
  Group[  7]: 1047
  Group[  8]: 17396
  Group[  9]: 17376
  Group[ 10]: 1002
  Group[ 11]: 1010
  Group[ 12]: 38802
  Group[ 13]: 17375
  Group[ 14]: 17377
  Group[ 15]: 17400
  Group[ 16]: 17366
  Group[ 17]: 17372
  Group[ 18]: 59199
  Group[ 19]: 10003
  Group[ 20]: 17385
  Group[ 21]: 10007
  Group[ 22]: 10008
  Group[ 23]: 10014
[2017/01/31 10:08:43.324094,  5]
../source3/smbd/uid.c:363(change_to_user_internal)
  Impersonated user: uid=(5227,5227), gid=(0,513)
[2017/01/31 10:08:43.324115,  4] ../source3/smbd/vfs.c:858(vfs_ChDir)
  vfs_ChDir to /tmp
[2017/01/31 10:08:43.324143,  4] ../source3/smbd/vfs.c:869(vfs_ChDir)
  vfs_ChDir got /tmp
[2017/01/31 10:08:43.324160,  4]
../source3/smbd/sec_ctx.c:316(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2017/01/31 10:08:43.324175,  5]
../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2017/01/31 10:08:43.324192,  5]
../source3/auth/token_util.c:639(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2017/01/31 10:08:43.324217,  5]
../source3/smbd/uid.c:425(smbd_change_to_root_user)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2017/01/31 10:08:43.324251,  4]
../source3/smbd/sec_ctx.c:316(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2017/01/31 10:08:43.324269,  5]
../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2017/01/31 10:08:43.324284,  5]
../source3/auth/token_util.c:639(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2017/01/31 10:08:43.324307,  5]
../source3/smbd/uid.c:425(smbd_change_to_root_user)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2017/01/31 10:08:43.324324,  5]
../lib/dbwrap/dbwrap.c:178(dbwrap_check_lock_order)
  check lock order 1 for /var/cache/samba/smbXsrv_tcon_global.tdb
[2017/01/31 10:08:43.324400,  5]
../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor)
  release lock order 1 for /var/cache/samba/smbXsrv_tcon_global.tdb
[2017/01/31 10:08:43.324423,  4]
../source3/smbd/sec_ctx.c:316(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2017/01/31 10:08:43.324441,  5]
../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2017/01/31 10:08:43.324455,  5]
../source3/auth/token_util.c:639(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2017/01/31 10:08:43.324478,  5]
../source3/smbd/uid.c:425(smbd_change_to_root_user)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2017/01/31 10:08:43.324501,  3]
../source3/smbd/service.c:1138(close_cnum)
  192.87.143.126 (ipv4:192.87.143.126:50887) closed connection to
service IPC$
[2017/01/31 10:08:43.324528,  4] ../source3/smbd/vfs.c:858(vfs_ChDir)
  vfs_ChDir to /
[2017/01/31 10:08:43.324552,  4] ../source3/smbd/vfs.c:869(vfs_ChDir)
  vfs_ChDir got /
[2017/01/31 10:08:43.324571,  4]
../source3/smbd/sec_ctx.c:316(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2017/01/31 10:08:43.324587,  5]
../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2017/01/31 10:08:43.324601,  5]
../source3/auth/token_util.c:639(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2017/01/31 10:08:43.324623,  5]
../source3/smbd/uid.c:425(smbd_change_to_root_user)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2017/01/31 10:08:43.324660,  5]
../libcli/smb/smb2_signing.c:92(smb2_signing_sign_pdu)
  signed SMB2 message

Anyone with an idea where to look..?

(fileserver running samba-4.2.11, debian wheezy)

MJ


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba