Web lists-archives.com

Re: [Samba] NT_STATUS_ACCESS_DENIED listing \* on Samba AD - out of the blue




On Mon, 12 Mar 2018 11:11:44 +0000
Sebastian Arcus via samba <samba@xxxxxxxxxxxxxxx> wrote:

> I have a Samba AD running Samba 4.7.5. Everything was working fine, 
> when, seemingly out of the blue, the users started to be denied
> access to all shares. If I try from a Windows 7 or Windows 10
> machine, logged in as a user in "Domain Uses", I get:
> 
> "Windows cannot access \\server-name\share_name. You do not have 
> permission to access \\server-name\share_name"
> 
> If I use smbclient, it allows me to login on the share, but if I do 
> 'ls', I get:
> 
> smb: \> ls
> NT_STATUS_ACCESS_DENIED listing \*
> 
> I have tried the following:
> 
> 1. The Domain admin can still access the shares - both from smbclient 
> and from Windows machines.
> 
> 2. I have checked the acl's on the server, they look ok:
> 
> # getfacl share_name/
> # file: clients/
> # owner: root
> # group: MYDOMAIN\134domain\040users
> user::rwx
> group::rwx
> group:MYDOMAIN\134domain\040users:rwx
> mask::rwx
> other::rwx
> default:user::rwx
> default:group::rwx
> default:group:MYDOMAIN\134domain\040users:rwx
> default:mask::rwx
> default:other::---
> 
> 3. "wbinfo -g" and "wbinfo -u" work correctly
> 
> 4. Kerberos tests work correctly
> 
> 5. There are no errors in the Bind/dns configuration
> 
> 6. I have logged in through Windows and reset the permissions there
> to allow "Domain Users" on the share
> 
> 7. All my smb.conf shares look like this:
> 
> [share_name]
> path = /srv/samba/share_name
> read only = No
> inherit acls = yes
> 
> 
> I am at a loss how "Domain Users" is denied access to the share, when 
> everything appears to be fine. Any suggestions much appreciated!
> 

Can you post your entire smb.conf (as on disk)

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba