[Samba] Access denied on shares, why?

Markku Tavasti tavasti at tavasti.fi
Thu Oct 6 12:37:50 MDT 2011 

Hi!

I've strange access problem. I'm migrating samba server from Suse to
Ubuntu, and seems like it won't work like expected. All the time
problem is that normal users without admin rights can't access shares.
They can access their own home directories, but not common shares which
are limited to some groups.

Running samba 3.5.11. Below is output from few commands, config file
and 2 snippets of logs as links (too big to include to this
email). Logs are quite long, but with log level 2 there was nothing
relevant, and loglevel 3 prints out a lots of log :-(

If I have forgot to give some relevant information, don't hesitate to
ask. All hints are welcome, I'me getting desperate with this.


tavasti at mydomain:~$ smbclient //mydomainserver/asiakkaat -USome-User%passwd
Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 3.5.11]
tree connect failed: NT_STATUS_ACCESS_DENIED
tavasti at mydomain:~$ id Some-User
uid=1017(Some-User) gid=1001(staff) groups=1001(staff),1004(some),05(other)

Log from this: http://tavasti.fi/~tavasti/misc/samba_2011-10-06_1.log


pdbedit -Lv shows:
---------------
Unix username:        Some-User
NT username:
Account Flags:        [U          ]
User SID:             S-1-5-21-332992484-2805335912-4147396850-3034
Primary Group SID:    S-1-5-21-332992484-2805335912-4147396850-513
Full Name:            Some-User Surname
Home Directory:
HomeDir Drive:
Logon Script:         logon.bat
Profile Path:
Domain:               MYDOMAIN
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          Wed, 06 Feb 2036 17:06:39 EET
Kickoff time:         Wed, 06 Feb 2036 17:06:39 EET
Password last set:    Wed, 05 Oct 2011 16:13:14 EEST
Password can change:  Wed, 05 Oct 2011 16:13:14 EEST
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
---------------


root at mydomain:~# net -l groupmap list
Domain Users
        SID       : S-1-5-21-332992484-2805335912-4147396850-513
        Unix gid  : 50
        Unix group: staff
        Group type: Domain Group
        Comment   : Domain Unix group
Domain Admins
        SID       : S-1-5-21-332992484-2805335912-4147396850-3001
        Unix gid  : 1000
        Unix group: ntadmins
        Group type: Domain Group
        Comment   : Domain Unix group


Tried to add user to group manually:

root at mydomain:/var/log/samba_local# net rpc group addmem "Domain Users"
Some-User
Enter root's password:
Could not add Some-User to Domain Users: NT_STATUS_ACCESS_DENIED

Log from this: http://tavasti.fi/~tavasti/misc/samba_2011-10-06_2.log


Config:
----------------------------------------------------------------------
[global]
	log level = 3
	passwd chat = *New*password* %n\n *Retype*new*password* %n\n \
	obey pam restrictions = yes
	socket options = TCP_NODELAY
	domain master = Yes
	time server = yes
	encrypt passwords = yes
	#passdb backend = smbpasswd
	passdb backend = tdbsam:/etc/samba_local/passdb.tdb
	logon home =
	passwd program = /usr/bin/passwd %u
	wins support = Yes
	unix extensions = no
	dns proxy = Yes
	oplocks = yes
	netbios name = mydomainserver
	cups options = raw
	server string = MYDOMAIN
	logon script = logon.bat
	ldap suffix =
	unix password sync = yes
	local master = Yes
	workgroup = MYDOMAIN
	logon path =
	os level = 65
	security = user
	preferred master = Yes
	add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody
-s /bin/false %u
	pam password change = yes
	domain logons = Yes
	admin users = root Mika tavasti


[homes]
	browseable = No
	comment = Kotihakemistot
	writeable = yes
	valid users = %S, at staff, at root
	inherit acls = Yes
	create mode = 0660
	directory mode = 0770
	

[profiles]
        browseable = No
	comment = Network Profiles Service
	path = %H
	read only = No
	create mask = 0600
	directory mask = 0700
	store dos attributes = Yes

[netlogon]
	comment = Network Logon Service
	path = /var/lib/samba/netlogon
	browseable = no
	writable = no
	#share modes = no

[yleiset]
	writeable = yes
	write list = @ntadmins, at staff
	path = /shares/Yleiset
	force directory mode = 2770
	force group = staff
	force create mode = 0770
	valid users = @ntadmins, at staff
	create mode = 0770
	directory mode = 2770
	
----------------------------------------------------------------------



-- 
M. Tavasti /  tavasti at tavasti.fi  /   +358-40-5078254

More information about the samba mailing list