Web lists-archives.com

[Samba] NT_STATUS_ACCESS_DENIED on a directory I have permission to access




Hello,

I am testing Samba 4.9.7 before we upgrade our 4.8 domain member server. I am running into a weird permission error with our test server. My home directory is NFS mounted. The problem comes from a mail directory in my home directory.  I can't access it over SMB/CIFS, it gives me a permission error. From another Linux host that has our home directories NFS mounted, I can access it fine. Also, from our soon to be retired NT Domain server, I can access the directory.

Home directory mounted with,

mount -t cifs //xxxx.xxxx.yorku.ca/homes /tmp/1 -o user=paulg,uid=2381,gid=1000,domain=AD.ONE.EXAMPLE.CA


 smbd_dirptr_get_entry mask=[*] found .AndroidStudio3.1 fname=.AndroidStudio3.1 (.AndroidStudio3.1) [2019/05/02 12:28:31.276870,  3, pid=26508, effective(12508, 10513), real(12508, 0)] ../source3/smbd/smb2_server.c:3202(smbd_smb2_request_error_ex)   smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[STATUS_NO_MORE_FILES] || at ../source3/smbd/smb2_query_directory.c:158 [2019/05/02 12:28:33.578220,  2, pid=26508, effective(12508, 10513), real(12508, 0)] ../source3/smbd/dosmode.c:136(unix_mode)
  unix_mode(mail) inheriting from .
[2019/05/02 12:28:33.578305,  2, pid=26508, effective(12508, 10513), real(12508, 0)] ../source3/smbd/dosmode.c:161(unix_mode)
  unix_mode(mail) inherit mode 40755
[2019/05/02 12:28:36.537282,  2, pid=26508, effective(12508, 10513), real(12508, 0)] ../source3/smbd/dosmode.c:136(unix_mode)
  unix_mode(mail) inheriting from .
[2019/05/02 12:28:36.537361,  2, pid=26508, effective(12508, 10513), real(12508, 0)] ../source3/smbd/dosmode.c:161(unix_mode)
  unix_mode(mail) inherit mode 40755
[2019/05/02 12:28:36.538662,  2, pid=26508, effective(12508, 10513), real(12508, 0)] ../source3/smbd/dosmode.c:136(unix_mode)
  unix_mode(mail) inheriting from .
[2019/05/02 12:28:36.538737,  2, pid=26508, effective(12508, 10513), real(12508, 0)] ../source3/smbd/dosmode.c:161(unix_mode)
  unix_mode(mail) inherit mode 40755
[2019/05/02 12:28:36.538956,  3, pid=26508, effective(12508, 10513), real(12508, 0)] ../source3/smbd/smb2_server.c:3202(smbd_smb2_request_error_ex)   smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_create.c:296

From Linux side of things, it looks good. Permissions are correct.

jazzy 43 % ls -lad mail
drwx------ 2 paulg tech 62 Sep 21  2018 mail
jazzy 44 % cd mail
jazzy 45 % ls -l
total 0
-rw------- 1 paulg tech 0 Apr  9 13:54 Drafts
-rw------- 1 paulg tech 0 Apr  9 13:54 Sent
-rw------- 1 paulg tech 0 Apr  9 13:54 Templates
-rw------- 1 paulg tech 0 Apr  9 13:54 Trash

I am at a lost concerning this one, any pointers?


Thanks
Paul

---- files server ----
[global]
security = ADS
workgroup = ONEEXAMPLECA
realm = AD.ONE.EXAMPLE.CA
server string = Samba Server
hostname lookups = yes

# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# - You must set a DOMAIN backend configuration
# idmap config for the ONEEXAMPLECA domain
idmap config ONEEXAMPLECA : backend = rid
idmap config ONEEXAMPLECA : range = 10000-999999

winbind use default domain = yes
local master = No

#log files
debug timestamp = yes
debug uid = yes
debug pid = yes
debug level = 3
max log size = 0

username map = /xconf/samba/usermap

#ip networking
max connections = 0
interfaces = 127.0.0.1 130.xx.xx.xx
bind interfaces only = yes

#printing
load printers = no
printcap name = /xconf/lprng/printcap
printing = bsd
print command = /xsys/bin/lpr -b -P%p %s ; rm -f %s
lpq command = /xsys/bin/lpq -P%p
lprm command = /xsys/bin/lprm -P%p %j
use client driver = yes

# Template settings for login shell and home directory
template shell = /bin/bash
template homedir = /eecs/home/%U

# security settings
guest account = nobody
invalid users = root
nt acl support = yes
inherit permissions = yes
client lanman auth = no
client ntlmv2 auth = yes
wide links = no
unix extensions = no

[homes]
comment = Home Directories
browseable = yes
read only = no
valid users = %S
csc policy = disable
invalid users = activ8
oplocks = no
level2 oplocks = no
strict locking = no
posix locking = no


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba