Web lists-archives.com

Re: [Samba] NT_STATUS_ACCESS_DENIED on a directory I have permission to access




Hai Paul, 

Look at this: user=paulg,uid=2381 
(from mount -t cifs //xxxx.xxxx.yorku.ca/homes /tmp/1 -o user=paulg,uid=2381,gid=1000,domain=AD.ONE.EXAMPLE.CA)

Now, look at this : 
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> # - You must set a DOMAIN backend configuration
> # idmap config for the ONEEXAMPLECA domain
> idmap config ONEEXAMPLECA : backend = rid
> idmap config ONEEXAMPLECA : range = 10000-999999 

What do you notice here. ( the hint is 2381:1000 ) and i would expect to see 10000:10000 or higher. 
Do you see what i mean? Your UID/GID is a local users one, not AD-DC users. 

Your ranges are out of sync now, and that your denied is completly correct. 

Greetz, 

Louis



 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens Paul 
> Griffith via samba
> Verzonden: donderdag 2 mei 2019 21:24
> Aan: samba@xxxxxxxxxxxxxxx
> Onderwerp: [Samba] NT_STATUS_ACCESS_DENIED on a directory I 
> have permission to access
> 
> Hello,
> 
> I am testing Samba 4.9.7 before we upgrade our 4.8 domain 
> member server. 
> I am running into a weird permission error with our test 
> server. My home 
> directory is NFS mounted. The problem comes from a mail 
> directory in my 
> home directory.  I can't access it over SMB/CIFS, it gives me a 
> permission error. From another Linux host that has our home 
> directories 
> NFS mounted, I can access it fine. Also, from our soon to be 
> retired NT 
> Domain server, I can access the directory.
> 
> Home directory mounted with,
> 
> mount -t cifs //xxxx.xxxx.yorku.ca/homes /tmp/1 -o 
> user=paulg,uid=2381,gid=1000,domain=AD.ONE.EXAMPLE.CA
> 
> 
>   smbd_dirptr_get_entry mask=[*] found .AndroidStudio3.1 
> fname=.AndroidStudio3.1 (.AndroidStudio3.1)
> [2019/05/02 12:28:31.276870,  3, pid=26508, effective(12508, 10513), 
> real(12508, 0)] 
> ../source3/smbd/smb2_server.c:3202(smbd_smb2_request_error_ex)
>    smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] 
> status[STATUS_NO_MORE_FILES] || at 
> ../source3/smbd/smb2_query_directory.c:158
> [2019/05/02 12:28:33.578220,  2, pid=26508, effective(12508, 10513), 
> real(12508, 0)] ../source3/smbd/dosmode.c:136(unix_mode)
>    unix_mode(mail) inheriting from .
> [2019/05/02 12:28:33.578305,  2, pid=26508, effective(12508, 10513), 
> real(12508, 0)] ../source3/smbd/dosmode.c:161(unix_mode)
>    unix_mode(mail) inherit mode 40755
> [2019/05/02 12:28:36.537282,  2, pid=26508, effective(12508, 10513), 
> real(12508, 0)] ../source3/smbd/dosmode.c:136(unix_mode)
>    unix_mode(mail) inheriting from .
> [2019/05/02 12:28:36.537361,  2, pid=26508, effective(12508, 10513), 
> real(12508, 0)] ../source3/smbd/dosmode.c:161(unix_mode)
>    unix_mode(mail) inherit mode 40755
> [2019/05/02 12:28:36.538662,  2, pid=26508, effective(12508, 10513), 
> real(12508, 0)] ../source3/smbd/dosmode.c:136(unix_mode)
>    unix_mode(mail) inheriting from .
> [2019/05/02 12:28:36.538737,  2, pid=26508, effective(12508, 10513), 
> real(12508, 0)] ../source3/smbd/dosmode.c:161(unix_mode)
>    unix_mode(mail) inherit mode 40755
> [2019/05/02 12:28:36.538956,  3, pid=26508, effective(12508, 10513), 
> real(12508, 0)] 
> ../source3/smbd/smb2_server.c:3202(smbd_smb2_request_error_ex)
>    smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] 
> status[NT_STATUS_ACCESS_DENIED] || at 
> ../source3/smbd/smb2_create.c:296
> 
>  From Linux side of things, it looks good. Permissions are correct.
> 
> jazzy 43 % ls -lad mail
> drwx------ 2 paulg tech 62 Sep 21  2018 mail
> jazzy 44 % cd mail
> jazzy 45 % ls -l
> total 0
> -rw------- 1 paulg tech 0 Apr  9 13:54 Drafts
> -rw------- 1 paulg tech 0 Apr  9 13:54 Sent
> -rw------- 1 paulg tech 0 Apr  9 13:54 Templates
> -rw------- 1 paulg tech 0 Apr  9 13:54 Trash
> 
> I am at a lost concerning this one, any pointers?
> 
> 
> Thanks
> Paul
> 
> ---- files server ----
> [global]
> security = ADS
> workgroup = ONEEXAMPLECA
> realm = AD.ONE.EXAMPLE.CA
> server string = Samba Server
> hostname lookups = yes
> 
> # Default ID mapping configuration for local BUILTIN accounts
> # and groups on a domain member. The default (*) domain:
> # - must not overlap with any domain ID mapping configuration!
> # - must use a read-write-enabled back end, such as tdb.
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> # - You must set a DOMAIN backend configuration
> # idmap config for the ONEEXAMPLECA domain
> idmap config ONEEXAMPLECA : backend = rid
> idmap config ONEEXAMPLECA : range = 10000-999999
> 
> winbind use default domain = yes
> local master = No
> 
> #log files
> debug timestamp = yes
> debug uid = yes
> debug pid = yes
> debug level = 3
> max log size = 0
> 
> username map = /xconf/samba/usermap
> 
> #ip networking
> max connections = 0
> interfaces = 127.0.0.1 130.xx.xx.xx
> bind interfaces only = yes
> 
> #printing
> load printers = no
> printcap name = /xconf/lprng/printcap
> printing = bsd
> print command = /xsys/bin/lpr -b -P%p %s ; rm -f %s
> lpq command = /xsys/bin/lpq -P%p
> lprm command = /xsys/bin/lprm -P%p %j
> use client driver = yes
> 
> # Template settings for login shell and home directory
> template shell = /bin/bash
> template homedir = /eecs/home/%U
> 
> # security settings
> guest account = nobody
> invalid users = root
> nt acl support = yes
> inherit permissions = yes
> client lanman auth = no
> client ntlmv2 auth = yes
> wide links = no
> unix extensions = no
> 
> [homes]
> comment = Home Directories
> browseable = yes
> read only = no
> valid users = %S
> csc policy = disable
> invalid users = activ8
> oplocks = no
> level2 oplocks = no
> strict locking = no
> posix locking = no
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba