Web lists-archives.com

Re: [Samba] NT_STATUS_ACCESS_DENIED listing \* on Samba AD - out of the blue





On 12/03/18 12:56, Rowland Penny via samba wrote:
On Mon, 12 Mar 2018 11:36:47 +0000
Sebastian Arcus via samba <samba@xxxxxxxxxxxxxxx> wrote:


On 12/03/18 11:28, Rowland Penny via samba wrote:
On Mon, 12 Mar 2018 11:11:44 +0000
Sebastian Arcus via samba <samba@xxxxxxxxxxxxxxx> wrote:

I have a Samba AD running Samba 4.7.5. Everything was working fine,
when, seemingly out of the blue, the users started to be denied
access to all shares. If I try from a Windows 7 or Windows 10
machine, logged in as a user in "Domain Uses", I get:

"Windows cannot access \\server-name\share_name. You do not have
permission to access \\server-name\share_name"

If I use smbclient, it allows me to login on the share, but if I do
'ls', I get:

smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*

I have tried the following:

1. The Domain admin can still access the shares - both from
smbclient and from Windows machines.

2. I have checked the acl's on the server, they look ok:

# getfacl share_name/
# file: clients/
# owner: root
# group: MYDOMAIN\134domain\040users
user::rwx
group::rwx
group:MYDOMAIN\134domain\040users:rwx
mask::rwx
other::rwx
default:user::rwx
default:group::rwx
default:group:MYDOMAIN\134domain\040users:rwx
default:mask::rwx
default:other::---

3. "wbinfo -g" and "wbinfo -u" work correctly

4. Kerberos tests work correctly

5. There are no errors in the Bind/dns configuration

6. I have logged in through Windows and reset the permissions there
to allow "Domain Users" on the share

7. All my smb.conf shares look like this:

[share_name]
path = /srv/samba/share_name
read only = No
inherit acls = yes


I am at a loss how "Domain Users" is denied access to the share,
when everything appears to be fine. Any suggestions much
appreciated!


Can you post your entire smb.conf (as on disk)


Hi Rowland. Please find the smb.conf below:


# Global parameters
[global]
          netbios name = HEBU-SERVER
          realm = HEBU.LAN
          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
          workgroup = HEBU
          server role = active directory domain controller
          idmap_ldb:use rfc2307 = yes

          bind interfaces only = Yes
          interfaces = lo br0 tun0


There are few default settings there, but nothing really wrong except
for 'inherit acls = yes'. You cannot use things like this on DC, you
need to set the permissions from windows, see here:

I actually added 'inherit acls = yes' after the problem started, just in case. I used the second link below to set the permissions from Windows - adding 'Domain Users' to the list (when logged in as the domain Administrator - which it let me). But I still can't access them using any other domain user. I just discovered that even if I add users to the 'Domain Admins' group, they are still not allowed to access the shares.


https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Using_the_Domain_Controller_as_a_File_Server

and:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

I don't think this is your main problem though, did the problem start
after a windows update ?
I think your clients are possibly trying to connect with NTLMv2

If that was the case, shouldn't smbclient continue to work? I can't list the contents of the shares even using smbclient.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba