[Samba] Samba 4 AD share: Access denied
Ryan Ashley
ryana at reachtechfp.com
Mon Jul 28 07:41:51 MDT 2014
Alright, I was poking around this morning trying to make this work, and
noticed something odd. Loads of zombie nmbd processes. Check out the
dump below and tell me, what is going on here? Is this my problem?
root at fs01:~# ps x
PID TTY STAT TIME COMMAND
1 ? Ss 0:02 init [2]
2 ? S 0:00 [kthreadd]
3 ? S 0:00 [ksoftirqd/0]
5 ? S 0:00 [kworker/u:0]
6 ? S 0:00 [migration/0]
7 ? S 0:01 [watchdog/0]
8 ? S< 0:00 [cpuset]
9 ? S< 0:00 [khelper]
10 ? S 0:00 [kdevtmpfs]
11 ? S< 0:00 [netns]
12 ? S 0:00 [xenwatch]
13 ? S 0:00 [xenbus]
14 ? S 0:01 [sync_supers]
15 ? S 0:00 [bdi-default]
16 ? S< 0:00 [kintegrityd]
17 ? S< 0:00 [kblockd]
19 ? S 0:00 [khungtaskd]
20 ? S 0:00 [kswapd0]
21 ? SN 0:00 [ksmd]
22 ? SN 0:00 [khugepaged]
23 ? S 0:00 [fsnotify_mark]
24 ? S< 0:00 [crypto]
173 ? S 0:00 [jbd2/xvda1-8]
174 ? S< 0:00 [ext4-dio-unwrit]
183 ? S 0:00 [kworker/u:1]
313 ? Ss 0:00 udevd --daemon
420 ? S 0:00 udevd --daemon
425 ? S 0:00 udevd --daemon
433 ? S 0:00 [khubd]
438 ? S< 0:00 [kpsmoused]
445 ? S< 0:00 [ata_sff]
471 ? S 0:00 [scsi_eh_0]
472 ? S 0:00 [scsi_eh_1]
1295 ? S 0:00 [jbd2/xvda2-8]
1296 ? S< 0:00 [ext4-dio-unwrit]
1297 ? S 0:01 [flush-202:0]
1298 ? S 0:00 [jbd2/xvda9-8]
1299 ? S< 0:00 [ext4-dio-unwrit]
1300 ? S 0:00 [jbd2/xvda10-8]
1301 ? S< 0:00 [ext4-dio-unwrit]
1302 ? S 0:00 [jbd2/xvda8-8]
1303 ? S< 0:00 [ext4-dio-unwrit]
1307 ? S 0:00 [jbd2/xvda11-8]
1308 ? S< 0:00 [ext4-dio-unwrit]
1309 ? S 0:00 [jbd2/xvda3-8]
1310 ? S< 0:00 [ext4-dio-unwrit]
1311 ? S 0:00 [jbd2/xvda4-8]
1312 ? S< 0:00 [ext4-dio-unwrit]
1313 ? S 0:00 [jbd2/xvda5-8]
1314 ? S< 0:00 [ext4-dio-unwrit]
1315 ? S 0:00 [jbd2/xvda6-8]
1316 ? S< 0:00 [ext4-dio-unwrit]
1317 ? S 0:00 [jbd2/xvda7-8]
1318 ? S< 0:00 [ext4-dio-unwrit]
1319 ? S 0:00 [jbd2/xvdb1-8]
1320 ? S< 0:00 [ext4-dio-unwrit]
1780 ? Sl 0:00 /usr/sbin/rsyslogd -c5
1811 ? Ss 0:00 /usr/sbin/acpid
1903 ? Ss 0:00 /usr/sbin/cron
1998 ? Ss 0:00 /usr/sbin/sshd
2022 tty1 Ss+ 0:00 /sbin/getty 38400 tty1
2023 tty2 Ss+ 0:00 /sbin/getty 38400 tty2
2024 tty3 Ss+ 0:00 /sbin/getty 38400 tty3
2025 tty4 Ss+ 0:00 /sbin/getty 38400 tty4
2026 tty5 Ss+ 0:00 /sbin/getty 38400 tty5
2027 tty6 Ss+ 0:00 /sbin/getty 38400 tty6
2041 ? Ss 0:03 nmbd
2043 ? Ss 0:03 smbd
2045 ? Ss 0:00 winbindd
2046 ? S 0:02 winbindd
2047 ? S 0:00 winbindd
2048 ? S 0:00 winbindd
2049 ? S 0:00 smbd
2067 ? Z 0:00 [nmbd] <defunct>
2085 ? Z 0:00 [nmbd] <defunct>
2109 ? Z 0:00 [nmbd] <defunct>
2127 ? Z 0:00 [nmbd] <defunct>
2145 ? Z 0:00 [nmbd] <defunct>
2163 ? Z 0:00 [nmbd] <defunct>
2185 ? Z 0:00 [nmbd] <defunct>
2203 ? Z 0:00 [nmbd] <defunct>
2223 ? Z 0:00 [nmbd] <defunct>
2241 ? Z 0:00 [nmbd] <defunct>
2263 ? Z 0:00 [nmbd] <defunct>
2281 ? Z 0:00 [nmbd] <defunct>
2299 ? Z 0:00 [nmbd] <defunct>
2317 ? Z 0:00 [nmbd] <defunct>
2339 ? Z 0:00 [nmbd] <defunct>
2357 ? Z 0:00 [nmbd] <defunct>
2375 ? Z 0:00 [nmbd] <defunct>
2393 ? Z 0:00 [nmbd] <defunct>
2415 ? Z 0:00 [nmbd] <defunct>
2433 ? Z 0:00 [nmbd] <defunct>
2451 ? Z 0:00 [nmbd] <defunct>
2469 ? Z 0:00 [nmbd] <defunct>
2491 ? Z 0:00 [nmbd] <defunct>
2509 ? Z 0:00 [nmbd] <defunct>
2527 ? Z 0:00 [nmbd] <defunct>
2545 ? Z 0:00 [nmbd] <defunct>
2567 ? Z 0:00 [nmbd] <defunct>
2585 ? Z 0:00 [nmbd] <defunct>
2603 ? Z 0:00 [nmbd] <defunct>
2621 ? Z 0:00 [nmbd] <defunct>
2643 ? Z 0:00 [nmbd] <defunct>
2661 ? Z 0:00 [nmbd] <defunct>
2679 ? Z 0:00 [nmbd] <defunct>
2697 ? Z 0:00 [nmbd] <defunct>
2719 ? Z 0:00 [nmbd] <defunct>
2737 ? Z 0:00 [nmbd] <defunct>
2755 ? Z 0:00 [nmbd] <defunct>
2773 ? Z 0:00 [nmbd] <defunct>
2795 ? Z 0:00 [nmbd] <defunct>
2813 ? Z 0:00 [nmbd] <defunct>
2831 ? Z 0:00 [nmbd] <defunct>
2849 ? Z 0:00 [nmbd] <defunct>
2871 ? Z 0:00 [nmbd] <defunct>
2889 ? Z 0:00 [nmbd] <defunct>
2907 ? Z 0:00 [nmbd] <defunct>
2925 ? Z 0:00 [nmbd] <defunct>
2946 ? Z 0:00 [nmbd] <defunct>
2964 ? Z 0:00 [nmbd] <defunct>
2982 ? Z 0:00 [nmbd] <defunct>
3000 ? Z 0:00 [nmbd] <defunct>
3022 ? Z 0:00 [nmbd] <defunct>
3040 ? Z 0:00 [nmbd] <defunct>
3058 ? Z 0:00 [nmbd] <defunct>
3076 ? Z 0:00 [nmbd] <defunct>
3098 ? Z 0:00 [nmbd] <defunct>
3116 ? Z 0:00 [nmbd] <defunct>
3134 ? Z 0:00 [nmbd] <defunct>
3152 ? Z 0:00 [nmbd] <defunct>
3174 ? Z 0:00 [nmbd] <defunct>
3192 ? Z 0:00 [nmbd] <defunct>
3210 ? Z 0:00 [nmbd] <defunct>
3228 ? Z 0:00 [nmbd] <defunct>
3250 ? Z 0:00 [nmbd] <defunct>
3268 ? Z 0:00 [nmbd] <defunct>
3285 ? Z 0:00 [nmbd] <defunct>
3303 ? Z 0:00 [nmbd] <defunct>
3325 ? Z 0:00 [nmbd] <defunct>
3343 ? Z 0:00 [nmbd] <defunct>
3361 ? Z 0:00 [nmbd] <defunct>
3380 ? Z 0:00 [nmbd] <defunct>
3402 ? Z 0:00 [nmbd] <defunct>
3420 ? Z 0:00 [nmbd] <defunct>
3438 ? Z 0:00 [nmbd] <defunct>
3456 ? Z 0:00 [nmbd] <defunct>
3574 ? Z 0:00 [nmbd] <defunct>
3592 ? Z 0:00 [nmbd] <defunct>
3610 ? Z 0:00 [nmbd] <defunct>
3628 ? Z 0:00 [nmbd] <defunct>
3650 ? Z 0:00 [nmbd] <defunct>
3668 ? Z 0:00 [nmbd] <defunct>
3686 ? Z 0:00 [nmbd] <defunct>
3704 ? Z 0:00 [nmbd] <defunct>
3726 ? Z 0:00 [nmbd] <defunct>
3744 ? Z 0:00 [nmbd] <defunct>
3762 ? Z 0:00 [nmbd] <defunct>
3780 ? Z 0:00 [nmbd] <defunct>
3802 ? Z 0:00 [nmbd] <defunct>
3820 ? Z 0:00 [nmbd] <defunct>
3838 ? Z 0:00 [nmbd] <defunct>
3856 ? Z 0:00 [nmbd] <defunct>
3878 ? Z 0:00 [nmbd] <defunct>
3896 ? Z 0:00 [nmbd] <defunct>
3914 ? Z 0:00 [nmbd] <defunct>
3932 ? Z 0:00 [nmbd] <defunct>
3954 ? Z 0:00 [nmbd] <defunct>
3972 ? Z 0:00 [nmbd] <defunct>
3990 ? Z 0:00 [nmbd] <defunct>
4008 ? Z 0:00 [nmbd] <defunct>
4030 ? Z 0:00 [nmbd] <defunct>
4048 ? Z 0:00 [nmbd] <defunct>
4066 ? Z 0:00 [nmbd] <defunct>
4084 ? Z 0:00 [nmbd] <defunct>
4106 ? Z 0:00 [nmbd] <defunct>
4124 ? Z 0:00 [nmbd] <defunct>
4142 ? Z 0:00 [nmbd] <defunct>
4160 ? Z 0:00 [nmbd] <defunct>
4182 ? Z 0:00 [nmbd] <defunct>
4200 ? Z 0:00 [nmbd] <defunct>
4220 ? Z 0:00 [nmbd] <defunct>
4238 ? Z 0:00 [nmbd] <defunct>
4261 ? Z 0:00 [nmbd] <defunct>
4279 ? Z 0:00 [nmbd] <defunct>
4297 ? Z 0:00 [nmbd] <defunct>
4315 ? Z 0:00 [nmbd] <defunct>
4337 ? Z 0:00 [nmbd] <defunct>
4355 ? Z 0:00 [nmbd] <defunct>
4373 ? Z 0:00 [nmbd] <defunct>
4391 ? Z 0:00 [nmbd] <defunct>
4413 ? Z 0:00 [nmbd] <defunct>
4431 ? Z 0:00 [nmbd] <defunct>
4449 ? Z 0:00 [nmbd] <defunct>
4467 ? Z 0:00 [nmbd] <defunct>
4489 ? Z 0:00 [nmbd] <defunct>
4507 ? Z 0:00 [nmbd] <defunct>
4525 ? Z 0:00 [nmbd] <defunct>
4543 ? Z 0:00 [nmbd] <defunct>
4565 ? Z 0:00 [nmbd] <defunct>
4583 ? Z 0:00 [nmbd] <defunct>
4601 ? Z 0:00 [nmbd] <defunct>
4619 ? Z 0:00 [nmbd] <defunct>
4641 ? Z 0:00 [nmbd] <defunct>
4659 ? Z 0:00 [nmbd] <defunct>
4677 ? Z 0:00 [nmbd] <defunct>
4694 ? Z 0:00 [nmbd] <defunct>
4716 ? Z 0:00 [nmbd] <defunct>
4734 ? Z 0:00 [nmbd] <defunct>
4752 ? Z 0:00 [nmbd] <defunct>
4770 ? Z 0:00 [nmbd] <defunct>
4792 ? Z 0:00 [nmbd] <defunct>
4811 ? Z 0:00 [nmbd] <defunct>
4829 ? Z 0:00 [nmbd] <defunct>
4847 ? Z 0:00 [nmbd] <defunct>
4869 ? Z 0:00 [nmbd] <defunct>
4887 ? Z 0:00 [nmbd] <defunct>
4905 ? Z 0:00 [nmbd] <defunct>
4923 ? Z 0:00 [nmbd] <defunct>
4945 ? Z 0:00 [nmbd] <defunct>
4963 ? Z 0:00 [nmbd] <defunct>
4981 ? Z 0:00 [nmbd] <defunct>
4999 ? Z 0:00 [nmbd] <defunct>
5021 ? Z 0:00 [nmbd] <defunct>
5039 ? Z 0:00 [nmbd] <defunct>
5057 ? Z 0:00 [nmbd] <defunct>
5075 ? Z 0:00 [nmbd] <defunct>
5097 ? Z 0:00 [nmbd] <defunct>
5115 ? Z 0:00 [nmbd] <defunct>
5133 ? Z 0:00 [nmbd] <defunct>
5151 ? Z 0:00 [nmbd] <defunct>
5173 ? Z 0:00 [nmbd] <defunct>
5191 ? Z 0:00 [nmbd] <defunct>
5209 ? Z 0:00 [nmbd] <defunct>
5227 ? Z 0:00 [nmbd] <defunct>
5249 ? Z 0:00 [nmbd] <defunct>
5267 ? Z 0:00 [nmbd] <defunct>
5285 ? Z 0:00 [nmbd] <defunct>
5303 ? Z 0:00 [nmbd] <defunct>
5325 ? Z 0:00 [nmbd] <defunct>
5343 ? Z 0:00 [nmbd] <defunct>
5361 ? Z 0:00 [nmbd] <defunct>
5379 ? Z 0:00 [nmbd] <defunct>
5525 ? Z 0:00 [nmbd] <defunct>
5543 ? Z 0:00 [nmbd] <defunct>
5571 ? Z 0:00 [nmbd] <defunct>
5589 ? Z 0:00 [nmbd] <defunct>
5611 ? Z 0:00 [nmbd] <defunct>
5630 ? Z 0:00 [nmbd] <defunct>
5648 ? Z 0:00 [nmbd] <defunct>
5666 ? Z 0:00 [nmbd] <defunct>
5688 ? Z 0:00 [nmbd] <defunct>
5706 ? Z 0:00 [nmbd] <defunct>
5724 ? Z 0:00 [nmbd] <defunct>
5742 ? Z 0:00 [nmbd] <defunct>
5764 ? Z 0:00 [nmbd] <defunct>
5782 ? Z 0:00 [nmbd] <defunct>
5800 ? Z 0:00 [nmbd] <defunct>
5818 ? Z 0:00 [nmbd] <defunct>
5840 ? Z 0:00 [nmbd] <defunct>
5858 ? Z 0:00 [nmbd] <defunct>
5876 ? Z 0:00 [nmbd] <defunct>
5894 ? Z 0:00 [nmbd] <defunct>
5916 ? Z 0:00 [nmbd] <defunct>
5934 ? Z 0:00 [nmbd] <defunct>
5952 ? Z 0:00 [nmbd] <defunct>
5970 ? Z 0:00 [nmbd] <defunct>
5992 ? Z 0:00 [nmbd] <defunct>
6010 ? Z 0:00 [nmbd] <defunct>
6028 ? Z 0:00 [nmbd] <defunct>
6046 ? Z 0:00 [nmbd] <defunct>
6068 ? Z 0:00 [nmbd] <defunct>
6086 ? Z 0:00 [nmbd] <defunct>
6104 ? Z 0:00 [nmbd] <defunct>
6122 ? Z 0:00 [nmbd] <defunct>
6144 ? Z 0:00 [nmbd] <defunct>
6161 ? Z 0:00 [nmbd] <defunct>
6179 ? Z 0:00 [nmbd] <defunct>
6197 ? Z 0:00 [nmbd] <defunct>
6219 ? Z 0:00 [nmbd] <defunct>
6238 ? Z 0:00 [nmbd] <defunct>
6256 ? Z 0:00 [nmbd] <defunct>
6274 ? Z 0:00 [nmbd] <defunct>
6296 ? Z 0:00 [nmbd] <defunct>
6314 ? Z 0:00 [nmbd] <defunct>
6332 ? Z 0:00 [nmbd] <defunct>
6350 ? Z 0:00 [nmbd] <defunct>
6372 ? Z 0:00 [nmbd] <defunct>
6390 ? Z 0:00 [nmbd] <defunct>
6408 ? Z 0:00 [nmbd] <defunct>
6426 ? Z 0:00 [nmbd] <defunct>
6448 ? Z 0:00 [nmbd] <defunct>
6466 ? Z 0:00 [nmbd] <defunct>
6484 ? Z 0:00 [nmbd] <defunct>
6502 ? Z 0:00 [nmbd] <defunct>
6524 ? Z 0:00 [nmbd] <defunct>
6542 ? Z 0:00 [nmbd] <defunct>
6560 ? Z 0:00 [nmbd] <defunct>
6578 ? Z 0:00 [nmbd] <defunct>
6600 ? Z 0:00 [nmbd] <defunct>
6618 ? Z 0:00 [nmbd] <defunct>
6636 ? Z 0:00 [nmbd] <defunct>
6654 ? Z 0:00 [nmbd] <defunct>
6676 ? Z 0:00 [nmbd] <defunct>
6694 ? Z 0:00 [nmbd] <defunct>
6712 ? Z 0:00 [nmbd] <defunct>
6730 ? Z 0:00 [nmbd] <defunct>
6752 ? Z 0:00 [nmbd] <defunct>
6770 ? Z 0:00 [nmbd] <defunct>
6789 ? Z 0:00 [nmbd] <defunct>
6807 ? Z 0:00 [nmbd] <defunct>
6829 ? Z 0:00 [nmbd] <defunct>
6847 ? Z 0:00 [nmbd] <defunct>
6852 ? S 0:01 [kworker/0:0]
6867 ? Z 0:00 [nmbd] <defunct>
6885 ? Z 0:00 [nmbd] <defunct>
6906 ? Z 0:00 [nmbd] <defunct>
6924 ? Z 0:00 [nmbd] <defunct>
6942 ? Z 0:00 [nmbd] <defunct>
6960 ? Z 0:00 [nmbd] <defunct>
6982 ? Z 0:00 [nmbd] <defunct>
7000 ? Z 0:00 [nmbd] <defunct>
7018 ? Z 0:00 [nmbd] <defunct>
7036 ? Z 0:00 [nmbd] <defunct>
7058 ? Z 0:00 [nmbd] <defunct>
7076 ? Z 0:00 [nmbd] <defunct>
7094 ? Z 0:00 [nmbd] <defunct>
7112 ? Z 0:00 [nmbd] <defunct>
7134 ? Z 0:00 [nmbd] <defunct>
7152 ? Z 0:00 [nmbd] <defunct>
7170 ? Z 0:00 [nmbd] <defunct>
7188 ? Z 0:00 [nmbd] <defunct>
7210 ? Z 0:00 [nmbd] <defunct>
7228 ? Z 0:00 [nmbd] <defunct>
7246 ? Z 0:00 [nmbd] <defunct>
7264 ? Z 0:00 [nmbd] <defunct>
7286 ? Z 0:00 [nmbd] <defunct>
7304 ? Z 0:00 [nmbd] <defunct>
7322 ? Z 0:00 [nmbd] <defunct>
7340 ? Z 0:00 [nmbd] <defunct>
7458 ? Z 0:00 [nmbd] <defunct>
7476 ? Z 0:00 [nmbd] <defunct>
7494 ? Z 0:00 [nmbd] <defunct>
7512 ? Z 0:00 [nmbd] <defunct>
7534 ? Z 0:00 [nmbd] <defunct>
7552 ? Z 0:00 [nmbd] <defunct>
7569 ? Z 0:00 [nmbd] <defunct>
7587 ? Z 0:00 [nmbd] <defunct>
7609 ? Z 0:00 [nmbd] <defunct>
7627 ? Z 0:00 [nmbd] <defunct>
7645 ? Z 0:00 [nmbd] <defunct>
7665 ? Z 0:00 [nmbd] <defunct>
7676 ? S 0:00 [kworker/0:2]
7687 ? Z 0:00 [nmbd] <defunct>
7697 ? Ss 0:00 sshd: root at pts/0
7699 pts/0 Ss 0:00 -bash
7711 ? S 0:00 [kworker/0:1]
7718 ? S 0:00 [flush-202:16]
7721 pts/0 R+ 0:00 ps x
On 07/28/2014 09:18 AM, Ryan Ashley wrote:
> I have never even played with apparmor. I do my Debian installs using
> a net CD and doing the expert 64bit install. I disable recommended and
> suggested packages and install only exactly what I need, so I do not
> have apparmor or selinux. Good thought though. I also tried disabling
> the firewall on a test PC and still no go. This has NEVER happened
> before so I am lost.
>
> So where else should I look? The system in question is a domain member
> server, can resolve users and groups, and can set ACLs with user and
> groups from AD. It is simply denying access to group members of said
> shares.
>
> On 07/28/2014 05:02 AM, Rowland Penny wrote:
>> On 27/07/14 16:28, Ryan Ashley wrote:
>>> I understand and I should have stated more clearly that I have been
>>> going through those results for over a week now. Nothing seems to
>>> help. Funny thing is that creating a second virtual file-server and
>>> using share authentication works fine. Yet another reason I am
>>> leaning towards group issues. If the file-server is share-level the
>>> Windows 7 boxes are happy. As soon as it goes AD and uses AD groups,
>>> they stop working. I have not tried user-level security yet. Then
>>> again I may have user-level and share-level confused. It has been a
>>> long week. I will keep searching but so far nothing I have found and
>>> tried works.
>>>
>>> Is there a way to get an actual reason for the denial? If it
>>> flat-out told me a reason I could troubleshoot. Right now I am just
>>> shooting in random directions hoping to hit something since all I
>>> get is "Access Denied". Is it possible to see is S4 is denying the
>>> connection via a log or something, or if Windows 7 is being
>>> stupid... again?
>>>
>>> On 7/27/2014 10:57 AM, Rowland Penny wrote:
>>>> On 27/07/14 15:15, Ryan Ashley wrote:
>>>>> That solution is for Windows 8. That also is not our issue. The
>>>>> WIndows 7 Pro 64bit workstations see the server and shares, and
>>>>> they map the shares according to group policy, but then everybody
>>>>> gets access denied, despite being in the domain groups for which
>>>>> the shares were created. Funny thing is that if I logon as domain
>>>>> admin, I get to access the shares. Due to this, I fully believe
>>>>> the S4 server is ignoring or not accounting for group membership.
>>>>> The "reachfp" account is the domain admin. This is also the
>>>>> default owner of files on the shares. The group "administration"
>>>>> contains many members and does not grant access, despite the group
>>>>> being granted full control. This lead e into believing I am still
>>>>> dealing with a permissions issue and not another issue. If it was
>>>>> the other issue, I would assume domain admin could not see the
>>>>> share or access it. Is that about right?
>>>>>
>>>>>
>>>> You are missing the point, I probably could have chosen a better
>>>> target but I only spent about 30secs on the search:
>>>>
>>>> windows 7 64 bit access denied samba
>>>>
>>>> This returns About 116,000 results, here's another one:
>>>>
>>>> http://www.sevenforums.com/network-sharing/242602-can-t-connect-samba-share-win-7-ultimate-64-bit.html
>>>>
>>>>
>>>> Try looking into this before dismissing it out of hand and
>>>> insisting that samba is the problem.
>>>>
>>>> Rowland
>>>
>> OK, after more thought and re-reading your posts, a thought has
>> popped into my head, apparmor, do you have this running on the server ?
>> I have been caught out by this a few times, not being allowed to do
>> things that I thought I should be able to do, or packages not running
>> correctly because they were not allowed access, in every case it was
>> apparmor. As I could never get apparmor to play ball with me (I
>> thought that I had found all rights that needed modding and then
>> another one would pop its head up and what is in the logs bares no
>> resemblance to what you need to put in the conf file), I now disable
>> apparmor straight after installing a new system.
>>
>> Rowland
>>
>
More information about the samba
mailing list