Web lists-archives.com

Re: [Samba] NT_STATUS_ACCESS_DENIED listing \* on Samba AD - out of the blue





On 12/03/18 11:28, Rowland Penny via samba wrote:
On Mon, 12 Mar 2018 11:11:44 +0000
Sebastian Arcus via samba <samba@xxxxxxxxxxxxxxx> wrote:

I have a Samba AD running Samba 4.7.5. Everything was working fine,
when, seemingly out of the blue, the users started to be denied
access to all shares. If I try from a Windows 7 or Windows 10
machine, logged in as a user in "Domain Uses", I get:

"Windows cannot access \\server-name\share_name. You do not have
permission to access \\server-name\share_name"

If I use smbclient, it allows me to login on the share, but if I do
'ls', I get:

smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*

I have tried the following:

1. The Domain admin can still access the shares - both from smbclient
and from Windows machines.

2. I have checked the acl's on the server, they look ok:

# getfacl share_name/
# file: clients/
# owner: root
# group: MYDOMAIN\134domain\040users
user::rwx
group::rwx
group:MYDOMAIN\134domain\040users:rwx
mask::rwx
other::rwx
default:user::rwx
default:group::rwx
default:group:MYDOMAIN\134domain\040users:rwx
default:mask::rwx
default:other::---

3. "wbinfo -g" and "wbinfo -u" work correctly

4. Kerberos tests work correctly

5. There are no errors in the Bind/dns configuration

6. I have logged in through Windows and reset the permissions there
to allow "Domain Users" on the share

7. All my smb.conf shares look like this:

[share_name]
path = /srv/samba/share_name
read only = No
inherit acls = yes


I am at a loss how "Domain Users" is denied access to the share, when
everything appears to be fine. Any suggestions much appreciated!


Can you post your entire smb.conf (as on disk)


Hi Rowland. Please find the smb.conf below:


# Global parameters
[global]
        netbios name = HEBU-SERVER
        realm = HEBU.LAN
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
        workgroup = HEBU
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes

        bind interfaces only = Yes
        interfaces = lo br0 tun0

log file = /var/log/samba/%m.log
#cap log file
max log size = 1000

mangling method = hash2
mangle prefix = 6
reset on zero vc = Yes
deadtime = 10

load printers = yes
rpc_server:spoolss = external
rpc_daemon:spoolssd = fork
spoolss: architecture = Windows x64

[netlogon]
	path = /var/lib/samba/sysvol/hebu.lan/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[printers]
path = /var/spool/samba
printable = yes
printing = cups
cups options = raw

[print$]
path = /var/lib/samba/printers
read only = no

[admin]
path = /srv/samba/admin
read only = No
inherit acls = yes

####################################
# Recycle bin options

vfs objects = recycle
recycle:repository = Recycle.Bin
recycle:directory_mode = 0770
recycle:subdir_mode = 0770
recycle:exclude = *.tmp,*.temp,*.o,*.obj,~$*,*.~??,~*.*,*.TMP,*.TEMP,lock.*,.~lock.*,LOCK.*,*.lock,*.~lock,*.LNK,*.lnk,*.ldb
recycle:versions = Yes
recycle:touch_mtime = Yes
recycle:keeptree = No
recycle:minsize = 1

[clients]
path = /srv/samba/clients
read only = No
inherit acls = yes

####################################
# Recycle bin options

vfs objects = recycle
recycle:repository = Recycle.Bin
recycle:directory_mode = 0770
recycle:subdir_mode = 0770
recycle:exclude = *.tmp,*.temp,*.o,*.obj,~$*,*.~??,~*.*,*.TMP,*.TEMP,lock.*,.~lock.*,LOCK.*,*.lock,*.~lock,*.LNK,*.lnk,*.ldb
recycle:versions = Yes
recycle:touch_mtime = Yes
recycle:keeptree = No
recycle:minsize = 1


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba