[Samba] PDC on 3.0.8 upgraded to 3.5.6-70 now getting 'Access Is Denied' from clients
stelter at sonic.net
stelter at sonic.net
Sat Dec 11 12:32:03 MST 2010
Wow! this got long on me.
The problem seems similar to the one expressed here:
http://www.mail-archive.com/samba@lists.samba.org/msg111029.html
but I already had server signing = no in my config, and the 4
relevant options all seem correct.
client schannel = Auto
server schannel = Auto
client signing = auto
server signing = No
On one of my PC's I can see 'If possible = yes' on the ones
that are 'auto' and 'no' on the one that is 'no', so I think they
are in sync.
I'm not 100% sure what might be relevant, so I included a lot
following. For the cliff notes, read the next 2 paragraphs
and then skip down to my results of 38.1.7 from the troubleshooting guide.
Here I can more or less reproduce the error, but the guide provides no
expectation of an error the way I'm getting it.
In a nutshell, I tarred up all files I felt were important from
my Fedora core 3 installation and did a clean Fedora core 14
installation and then untarred all the content for my shares and
put /etc/samba/* back in place and fired up the new samba. I had hoped
that I coud just stick the tdb files over and everything would just
keep working. But I think maybe I had multiple paswd.tbd and secret.tdb
files and didn't realize the one actually being used because after
doing so, pdbedit -w -L showed no users. So I added all the users
back in via smbpasswd -a. I unjoined my machines from the domain and
rejoined them.
Everything *mostly* seems like it should be working, I can log into an
XP Pro or Win2K machine using domain=STELTER, but I'm immediately told
that it can't access the profiles so it logs me in with a vanilla
desktop, but it does mount my login drive at I:. However, when I
double-click on I:, I get a simple dialog saying 'Access Is Denied'.
Skip down to 38.1.7 and then come back to the rest i you find some history
is needed.
Details Details Details follow:
WHY AM I DOING THIS??
---------------------
I had been happily running Fedora Core 3 since about 2004 (IIRC)
with samba acting as a primary domain controller. I had 5 children,
a wife and 3 computers. I implemented roaming profiles (after
considerable learning curve) and anyone in my family could log
into any box and see the same desktop and same 'My Documents'
(which was actually just a samba share directory). About once a year
I would go on a 2 wk vacation and generally uptime on the box was
about 350 days and I'd shut it down. It just worked.
Well, I have recently been upgrading some boxes (2.4 GHz P4 was
the top machine on the domain) and the last one I build is going
to replace one of the domain computers, but it is win7pro. I found
that the box did not join the domain and upon investigation learned
I must have 3.3 or 3.4 and some registry tweaks.
SO WHAT HAVE I DONE?
---------------------
I really only cared about the data on my shares and the samba
configuration so my plan was to tar up the linux disk into a
40GB file, copy it to another machine, install FC14, copy the tar
back and untar it. It went mostly a designed-- I wound up with a
40GB tar file (I had created a /z directory an from / issued
tar cf z/backup.tar [a-x]*). I copied that to my new win7pro
box and installed FedoraCore 14 back on my trusty 800MHz Celeron's
120GB drive. I then added all the users back via useradd with their
old gid's and uid's. After copying the tar file back to the fedora
box and untaring it an putting all the shares back in their correct
locations, I installed samba 3.5.6-70 and copied my smb.conf,
passwd.tdb, secret.tdb, and lmhosts from my tar over to /etc/samba.
I fired up samba and tried to see what was/wasn't working.
Well, First off, boxes could see the STELTER domain, but none of the
machines inside. I found by doing pdbedit -w -L that my users did not
translate over properly. I discoverd that the secret.tdb and passwd.pdb
file in use was under /var/... so clearly I hadn't put my files in the
right place.
In retrospect, I'm not really sure that the files I grabbed
from /etc/samba were even in use on my old box. I also saw a secret.tdb
file in my root directory which I copied over too. I then found that
something must have gone wrong with my 40GB tar. I had done a tar tvf
on it after making it and confirmed that all the shares I cared about
and /etc were in it but I didn't look too closely at it. Seems somehow
/var and /usr were omitted from the tar (got too long? some error
I overlooked?. Matters not, those directories ae now gone so
there is no hope of finding if the tdb files were under the var
heirarchy or not-- Actually I proabaly have a backup of that from
a couple years ago, but I just pressed on.
I did smbpasswd on each user and I unjoine/rejoined 3 computers
to the domain. Now if I browse to Networks on a windows box,
I see STELTER domain and if I push into it I can see all my shares.
But if I try to actually see any contents on any of the shares,
I'm told 'Access Is Denied'.
On a non-domain box I can see Fedorabox, and when I click on it I
can Enter my DOMAIN\user login and it accepts it, but it then tells
me the access is denied. On a domain machine I can log in with my
domain credentials and it logs me in, but in the proces it says it
can't access the profiles share. It mounts my login drive, but not a
second drive mounted in the netlogon script, so I don't think it can
access the netlogon either.
I thought maybe some SID credential was stored and now mismatched
because of the way I readded all the users. I tried a command to
flush netbios cache or something like that but that didn't help
(seemed to be tied to the machine sids, not user sids and the
machines don't seem to have problems with the domains--
it's the users that seem to have problems with the shares.)
NITTY GRITTY DETAILS:
Following: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/diagnosis.html
38.1.1 testparm smb.conf -- No errors
38.1.2 I can't ping by hostname, but I can ping by IP Address,
and the other boxes can obviously find each other to domain register/etc,
so I don't *think* this is cause for it.
[root at fedorabox samba]# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
352 68137 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- any any anywhere anywhere
0 0 ACCEPT all -- lo any anywhere anywhere
9 432 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ftp
302 23556 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:netbios-ns
37 8905 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:netbios-dgm
4 192 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:netbios-ssn
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:microsoft-ds
0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:netbios-ns
0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:netbios-dgm
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:epmap
49 4281 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 419 packets, 49081 bytes)
pkts bytes target prot opt in out source destination
I really don't understand this output fully, but the tcp/udp items
above seem to map to 135/tcp, 137/udp, 138/udp, 139/tcp, and
445/tcp as prescribed in
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/securing-samba.html.
I also disabled the firewall and the problem persisted so I don't think
the problem is here.
38.1.3 Looks good--
[root at fedorabox samba]# smbclient -L fedorabox
Enter cstelter's password:
Domain=[STELTER] OS=[Unix] Server=[Samba 3.5.6-70.fc14]
Sharename Type Comment
--------- ---- -------
netlogon Disk
Profiles Disk
homedir Disk Commen 'system' type components
sys Disk Commen 'system' type components
IPC$ IPC IPC Service (Samba Server)
cstelter Disk Home Directories
Domain=[STELTER] OS=[Unix] Server=[Samba 3.5.6-70.fc14]
Server Comment
--------- -------
FEDORABOX Samba Server
GOOFTROOP
GOOFTROOPTOO Downstairs Activity
MOMSBOX Mom's Computer
STELTERHUB
Workgroup Master
--------- -------
STELTER FEDORABOX
WORKGROUP HTPC
38.1.4-- here, 38.1.4 directs to do nmblookup -B fedorabox __SAMBA__,
but that fails for me (DNS not working in my env), but Ch12
in the Quick HOWTO
(http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch12_:_Samba_Security_and_Troubleshooting)
directs to use the IP. I don't *think* this is my problem.
[root at fedorabox samba]# nmblookup -B 192.168.0.102 __SAMBA__
querying __SAMBA__ on 192.168.0.102
192.168.0.102 __SAMBA__<00>
38.1.5 Again, I can't lookup by name, but this works by IP address
[root at fedorabox samba]# nmblookup -B 192.168.0.110 '*'
querying * on 192.168.0.110
192.168.0.110 *<00>
38.1.6 Looks good to me:
[root at fedorabox samba]# nmblookup -d 2 '*'
rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
added interface eth0 ip=fe80::21b:21ff:fe0a:12c0%eth0 bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=192.168.0.102 bcast=192.168.0.255 netmask=255.255.255.0
Got a positive name query response from 192.168.0.111 ( 192.168.0.111 )
Got a positive name query response from 192.168.0.1 ( 192.168.0.1 )
Got a positive name query response from 192.168.0.117 ( 192.168.0.117 )
Got a positive name query response from 192.168.0.110 ( 192.168.0.110 )
Got a positive name query response from 192.168.0.102 ( 192.168.0.102 )
querying * on 192.168.0.255
192.168.0.111 *<00>
192.168.0.1 *<00>
192.168.0.117 *<00>
192.168.0.110 *<00>
192.168.0.102 *<00>
38.1.7. This seems to exactly mirror my problem-- I can connect
to a share, but I can't look at it.
[root at fedorabox ~]# smbclient //fedorabox/sys
Enter cstelter's password:
Domain=[STELTER] OS=[Unix] Server=[Samba 3.5.6-70.fc14]
smb: \> dir
NT_STATUS_ACCESS_DENIED listing \*
60475 blocks of size 262144. 38485 blocks available
smb: \> quit
[root at fedorabox ~]# ls -al /share/system
total 56
drwxr-xr-x. 8 cstelter stelters 4096 Oct 21 10:52 .
drwxr-xr-x. 3 root root 4096 Dec 11 03:56 ..
drwxr-xr-x. 2 cstelter stelters 4096 Sep 17 2008 bitmaps
drwxr-xr-x. 4 cstelter stelters 4096 Feb 4 2007 Dad
-rw-r--r--. 1 cstelter stelters 5478 May 1 2010 flight1.mid
-rw-r--r--. 1 cstelter stelters 5478 May 1 2010 flight2.mid
-rw-r--r--. 1 cstelter stelters 5478 May 1 2010 flight3.mid
drwxr-xr-x. 38 cstelter stelters 4096 Oct 4 2005 infocom
drwxr-xr-x. 2 cstelter stelters 4096 Oct 4 2005 Infocom Games
drwxr-xr-x. 7 cstelter stelters 4096 Feb 12 2008 Program Files
drwxr-xr-x. 51 cstelter stelters 4096 Nov 17 16:33 Utilities
And of course if I do this as user cstelter instead of user root,
I have no problems looking at the unix dir:
[cstelter at fedorabox system]$ ls
bitmaps flight1.mid flight3.mid Infocom Games Utilities
Dad flight2.mid infocom Program Files
38.1.8 This one looks good
C:\tmp>net view \\fedorabox
Shared resources at \\fedorabox
Samba Server
Share name Type Used as Comment
-------------------------------------------------------------------------------
cstelter Disk Home Directories
homedir Disk Commen 'system' type components
netlogon Disk
Profiles Disk
sys Disk Commen 'system' type components
The command completed successfully.
38.1.9 This one looks good
C:\tmp>net use x: \\fedorabox\sys
The command completed successfully.
but then when I check, again not able to view files on the share:
C:\tmp>x:
X:\>dir
Volume in drive X is sys
Volume Serial Number is 5E44-014D
Directory of X:\
File Not Found
X:\>
38.1.10 Looks good:
[cstelter at fedorabox system]$ nmblookup -M STELTER
querying STELTER on 192.168.0.255
192.168.0.102 STELTER<1d>
38.1.11 This works until I actually try to browse *into* the shares.
I can get a list of shares, just can't access them. I've
played with encrypt passwords-- currently I don't set it
in smb.conf, but I've tried setting it to yes and it still fails.
More information about the samba
mailing list