Web lists-archives.com

Re: [Samba] NT_STATUS_ACCESS_DENIED listing \* on Samba AD - out of the blue




On Mon, 12 Mar 2018 11:36:47 +0000
Sebastian Arcus via samba <samba@xxxxxxxxxxxxxxx> wrote:

> 
> On 12/03/18 11:28, Rowland Penny via samba wrote:
> > On Mon, 12 Mar 2018 11:11:44 +0000
> > Sebastian Arcus via samba <samba@xxxxxxxxxxxxxxx> wrote:
> > 
> >> I have a Samba AD running Samba 4.7.5. Everything was working fine,
> >> when, seemingly out of the blue, the users started to be denied
> >> access to all shares. If I try from a Windows 7 or Windows 10
> >> machine, logged in as a user in "Domain Uses", I get:
> >>
> >> "Windows cannot access \\server-name\share_name. You do not have
> >> permission to access \\server-name\share_name"
> >>
> >> If I use smbclient, it allows me to login on the share, but if I do
> >> 'ls', I get:
> >>
> >> smb: \> ls
> >> NT_STATUS_ACCESS_DENIED listing \*
> >>
> >> I have tried the following:
> >>
> >> 1. The Domain admin can still access the shares - both from
> >> smbclient and from Windows machines.
> >>
> >> 2. I have checked the acl's on the server, they look ok:
> >>
> >> # getfacl share_name/
> >> # file: clients/
> >> # owner: root
> >> # group: MYDOMAIN\134domain\040users
> >> user::rwx
> >> group::rwx
> >> group:MYDOMAIN\134domain\040users:rwx
> >> mask::rwx
> >> other::rwx
> >> default:user::rwx
> >> default:group::rwx
> >> default:group:MYDOMAIN\134domain\040users:rwx
> >> default:mask::rwx
> >> default:other::---
> >>
> >> 3. "wbinfo -g" and "wbinfo -u" work correctly
> >>
> >> 4. Kerberos tests work correctly
> >>
> >> 5. There are no errors in the Bind/dns configuration
> >>
> >> 6. I have logged in through Windows and reset the permissions there
> >> to allow "Domain Users" on the share
> >>
> >> 7. All my smb.conf shares look like this:
> >>
> >> [share_name]
> >> path = /srv/samba/share_name
> >> read only = No
> >> inherit acls = yes
> >>
> >>
> >> I am at a loss how "Domain Users" is denied access to the share,
> >> when everything appears to be fine. Any suggestions much
> >> appreciated!
> >>
> > 
> > Can you post your entire smb.conf (as on disk)
> 
> 
> Hi Rowland. Please find the smb.conf below:
> 
> 
> # Global parameters
> [global]
>          netbios name = HEBU-SERVER
>          realm = HEBU.LAN
>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>          workgroup = HEBU
>          server role = active directory domain controller
>          idmap_ldb:use rfc2307 = yes
> 
>          bind interfaces only = Yes
>          interfaces = lo br0 tun0
> 

There are few default settings there, but nothing really wrong except
for 'inherit acls = yes'. You cannot use things like this on DC, you
need to set the permissions from windows, see here:

https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Using_the_Domain_Controller_as_a_File_Server

and:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

I don't think this is your main problem though, did the problem start
after a windows update ?
I think your clients are possibly trying to connect with NTLMv2

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba