[Samba] NT_STATUS_ACCESS_DENIED

Gary Dale garydale at torfree.net
Fri Apr 6 19:51:14 GMT 2007 

I note the following in the SWAT documentation for security = share:

 >>>>>>>>>>>>
A list of possible UNIX usernames to match with the given client 
password is constructed using the following methods :

    *

      If the guest only parameter is set, then all the other stages are
      missed and only the guest account username is checked.

    *

      Is a username is sent with the share connection request, then this
      username (after mapping - see username map), is added as a
      potential username.

    *

      If the client did a previous /logon / request (the SessionSetup
      SMB call) then the username sent in this SMB will be added as a
      potential username.

    *

      The name of the service the client requested is added as a
      potential username.

    *

      The NetBIOS name of the client is added to the list as a potential
      username.

    *

      Any users on the user list are added as potential usernames.

If the /|guest only|/ parameter is not set, then this list is then tried 
with the supplied password. The first user for whom the password matches 
will be used as the UNIX user.

If the /|guest only|/ parameter is set, or no username can be determined 
then if the share is marked as available to the /|guest account|/, then 
this guest user will be used, otherwise access is denied.

Note that it can be /very/ confusing in share-level security as to which 
UNIX username will eventually be used in granting access.

<<<<<<<<<<<<<<<<

Since you haven't specified a "user = " or "guest account = " for the 
share, I have no idea what user Samba is going to try to connect with. 
Guest account defaults to nobody, which probably doesn't have access to 
the share.




Brandon Blackmoor wrote:
> Quoting "Joshua M. Miller" <joshua at itsecureadmin.com>:
>   
>> I would encourage you to simplify things even more
>> at this point until you get the situation resolved.
>>     
>
> Okay, now I am truly baffled.
>
> I have replaced the current smb.conf as follows:
>
>
> [global]
>         workgroup = MORTSHIRE
>         security = SHARE
>         netbios name = annwn
>         restrict anonymous = 0
>         log file = /var/log/samba/%m.log
>         max log size = 50
>         guest ok = yes
>
> [media]
>         path = /media
>         writeable = yes
>         guest ok = yes
>
> [mediatest]
>         path = /mediatest
>         writeable = yes
>         guest ok = yes
>
>
> I have deleted the previously created samba users, and created a new samba user
> "smbguest" with a blank password. There is also a "smbguest" unix user which
> belongs to the "media" group.
>
> I have moved my old /var/media directory to /mediatest (moving it out of /var to
> the root directory), and I have created a new, empty directory called /media
> (also in the root directory), and I have chown'd both directories to be owned
> by root:media, and chmod'd them both 775 recursively:
>
>
> drwxrwxr-x   2 root     media  4096 Apr  6 13:31 media
> drwxrwxr-x   5 root     media  4096 Oct  1  2006 mediatest
>
>
> I then copied all of the files from /mediatest (the old directory) to /media
> (the new directory).
>
> Both directories have the exact same unix owners and permissions (recursively).
> Both directories have the exact same samba permissions.
> Both directories have the exact same contents.
> As far as I can tell, the only difference between these two directories is the
> date each was created.
> And yet...
>
> [root at annwn mediatest]# smbclient //annwn/media
> Password:
> Domain=[MORTSHIRE] OS=[Unix] Server=[Samba 3.0.23c-2]
> Server not using user level security and no password supplied.
> smb: \> dir
>   .                                   D        0  Fri Apr  6 13:58:07 2007
>   ..                                  D        0  Fri Apr  6 13:31:18 2007
>   MP3                                 D        0  Fri Apr  6 14:32:50 2007
>   images                              D        0  Fri Apr  6 13:37:58 2007
>   video                               D        0  Fri Apr  6 13:53:32 2007
>
>                 57237 blocks of size 4194304. 4170 blocks available
>
> [root at annwn mediatest]# smbclient //annwn/mediatest
> Password:
> Domain=[MORTSHIRE] OS=[Unix] Server=[Samba 3.0.23c-2]
> Server not using user level security and no password supplied.
> smb: \> dir
> NT_STATUS_ACCESS_DENIED listing \*
>
>                 57237 blocks of size 4194304. 4170 blocks available
>
>
> What the hell? What am I missing here?
>
> --
> Brandon Blackmoor
> bblackmoor at blackgate.net
> 2007-04-06
>

More information about the samba mailing list