[Samba] Intermittent permission denied when accessing share
Lorenzo Milesi
maxxer at yetopen.it
Mon May 18 21:14:39 UTC 2020
> trying again.
here's the output.
thanks!
Config collected --- 2020-05-18-23:08 -----------
Hostname: fileserver
DNS Domain: wdc.mydomain.it
Realm: WDC.MYDOMAIN.IT
FQDN: fileserver.wdc.mydomain.it
ipaddress: 10.0.0.3
-----------
This computer is running Ubuntu 18.04.4 LTS x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:7a:3c:11 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.3/24 brd 10.0.0.255 scope global ens160
inet6 fe80::20c:29ff:fe7a:3c11/64 scope link
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
#127.0.1.1 fileserver
10.0.0.3 fileserver.wdc.mydomain.it fileserver
10.0.0.3 mail.mydomain.it mail
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback localhost
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
Checking file: /etc/resolv.conf
nameserver 10.0.0.3
search wdc.mydomain.it
-----------
Kerberos SRV _kerberos._tcp.wdc.mydomain.it record(s) verified ok, sample output:
Server: 10.0.0.3
Address: 10.0.0.3#53
_kerberos._tcp.wdc.mydomain.it service = 0 100 88 fileserver.wdc.mydomain.it.
-----------
'kinit Administrator' checked successfully.
-----------
Samba is running as an AD DC
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = WDC.MYDOMAIN.IT
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
WDC.MYDOMAIN.IT = {
default_domain = wdc.mydomain.it
}
[domain_realm]
fileserver = WDC.MYDOMAIN.IT
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat systemd winbind
group: compat systemd winbind
shadow: compat
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /usr/local/samba/etc/smb.conf
# Global parameters
[global]
netbios name = FILESERVER
realm = WDC.MYDOMAIN.IT
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
workgroup = WDC
netbios aliases = serverx3
idmap_ldb:use rfc2307 = yes
# https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
# template shell = /bin/bash
template homedir = /home/%U
hide unreadable = yes
# I due parametri sotto abbassano il protocollo minimo di comunicazione, messi per consentire le join dei PC con XP
# FIXME ANDREBBERO TOLTI APPENA NON CI SONO PIU' CLIENT XP
server min protocol = NT1
client min protocol = NT1
log level = 8
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
browseable = No
[netlogon]
path = /usr/local/samba/var/locks/sysvol/wdc.mydomain.it/scripts
read only = No
browseable = No
[homes]
path = /home/CONDIVISI/personali
include = /usr/local/samba/etc/cestino.conf
read only = No
[BACHECA]
path = /home/CONDIVISI/BACHECA
include = /usr/local/samba/etc/cestino.conf
read only = No
-----------
This DC is being used as a fileserver
Detected bind DLZ enabled..
Checking file: /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
-----------
Checking file: /etc/bind/named.conf.options
# 2020.04.21 yetopen
acl internals { 127.0.0.0/8; 10.0.0.0/24; };
# 2020.04.21 yetopen - fine
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
# dnssec-validation auto;
# auth-nxdomain no; # conform to RFC1035
# 2020.04.21 yetopen https://wiki.samba.org/index.php/Setting_up_a_BIND_DNS_Server#Setting_up_the_named.conf_files
listen-on-v6 { none; };
forwarders { 10.0.0.1; 208.67.222.123; };
version "Go Away 0.0.7";
notify no;
empty-zones-enable no;
auth-nxdomain yes;
allow-transfer { none; };
dnssec-validation no;
dnssec-enable no;
dnssec-lookaside no;
// Added Per Debian buster Bind9.
// Due to : resolver: info: resolver priming query complete messages in the logs.
// See: https://gitlab.isc.org/isc-projects/bind9/commit/4a827494618e776a78b413d863bc23badd14ea42
minimal-responses yes;
// Add any subnets or hosts you want to allow to use this DNS server
allow-query { "internals"; };
allow-query-cache { "internals"; };
// Add any subnets or hosts you want to allow to use recursive queries
recursion yes;
allow-recursion { "internals"; };
// https://wiki.samba.org/index.php/Dns-backend_bind
// DNS dynamic updates via Kerberos (optional, but recommended)
// ONE of the following lines should be enabled AFTER you provision or join a DC with bind9_dlz
// or AFTER upgrading your dns from internal to bind9_dlz
// Before Samba 4.9.0
// tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
// From Samba 4.9.0 ( You will need to run samba_dnsupgrade if upgrading your Samba version. )
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
# 2020.04.21 yetopen - fine
};
-----------
Checking file: /etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
include "/usr/local/samba/bind-dns/named.conf";
-----------
Checking file: /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
-----------
Samba DNS zone list check :
0.0.10.in-addr.arpa
wdc.mydomain.it
mydomain.it
_msdcs.wdc.mydomain.it
-----------
-----------
This is the DC with the PDC Emulator role and time is: 2020-05-18T23:09:04
-----------
Installed packages:
ii acl 2.2.52-3build1 amd64 Access control list utilities
ii attr 1:2.4.47-2build1 amd64 Utilities for manipulating filesystem extended attributes
ii bind9 1:9.11.3+dfsg-1ubuntu1.11 amd64 Internet Domain Name Server
ii bind9-host 1:9.11.3+dfsg-1ubuntu1.11 amd64 DNS lookup utility (deprecated)
ii bind9utils 1:9.11.3+dfsg-1ubuntu1.11 amd64 Utilities for BIND
ii krb5-config 2.6 all Configuration files for Kerberos Version 5
ii krb5-kdc 1.16-2ubuntu0.1 amd64 MIT Kerberos key server (KDC)
ii krb5-locales 1.16-2ubuntu0.1 all internationalization support for MIT Kerberos
ii krb5-multidev:amd64 1.16-2ubuntu0.1 amd64 development files for MIT Kerberos without Heimdal conflict
ii krb5-user 1.16-2ubuntu0.1 amd64 basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.52-3build1 amd64 Access control list shared library
ii libacl1-dev 2.2.52-3build1 amd64 Access control list static libraries and headers
ii libattr1:amd64 1:2.4.47-2build1 amd64 Extended attribute shared library
ii libattr1-dev:amd64 1:2.4.47-2build1 amd64 Extended attribute static libraries and headers
ii libbind9-160:amd64 1:9.11.3+dfsg-1ubuntu1.11 amd64 BIND9 Shared Library used by BIND
ii libgssapi-krb5-2:amd64 1.16-2ubuntu0.1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-26-heimdal:amd64 7.5.0+dfsg-1 amd64 Heimdal Kerberos - libraries
ii libkrb5-3:amd64 1.16-2ubuntu0.1 amd64 MIT Kerberos runtime libraries
ii libkrb5-dev:amd64 1.16-2ubuntu0.1 amd64 headers and development libraries for MIT Kerberos
ii libkrb5support0:amd64 1.16-2ubuntu0.1 amd64 MIT Kerberos runtime libraries - Support library
ii python3-attr 17.4.0-2 all Attributes without boilerplate (Python 3)
ii zimbra-common-mbox-conf-attrs 8.8.15.1558767359-1.u18 amd64 Zimbra Core Mailbox Attributes Configuration
-----------
--
Lorenzo Milesi - lorenzo.milesi at yetopen.it
YetOpen S.r.l. - https://www.yetopen.it/
Via Salerno 18 - 23900 Lecco - ITALY -
Tel +39 0341 220 205 - Fax +39 178 6070 222
Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary
-------- D.Lgs. 196/2003 e GDPR 679/2016 --------
Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario.
Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini
del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata.
Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile.
Grazie.
Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information;
pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution
is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible.
Thank you.
More information about the samba
mailing list