[Samba] After some time "denied due to share security descriptor"

Tue Sep 15 09:22:21 UTC 2015

Il 2015-09-15 10:32 Rowland Penny ha scritto:
> On 15/09/15 08:34, Alessandro Briosi wrote:
>> Hi all,
>> I'm using samba 4.1.20 (from sernet) with 2 AD servers and 1 as file 
>> server.
> 
> Yes, but on what OS ?
> 
OS of AD is Centos 6, OS for file server is Centos 7

>> 
>> It happens that after some time (days), some users report that they 
>> cannot access the shares on the file server any-more, and I find the 
>> following entries in the log file:
>> 
>> STATUS=daemon 'smbd' finished starting up and ready to serve 
>> connectionsuser DOMAIN\pc-name$ connection to sharename denied due to 
>> share security descriptor.
>> STATUS=daemon 'smbd' finished starting up and ready to serve 
>> connectionsuser DOMAIN\pc-name$ connection to sharename denied due to 
>> share security descriptor.
> 
> Very good, but is there anything else in the log ?
> Is there anything in the event log on the client ?
> 

Not on the server, but on the client I found some messages about 
Netlogon, Lsarsa, and SPNEGO, thanks.
I'll be checking more deeply on this. For now I have rejoined the PC to 
the domain, I'll see if this fixes it.

>> 
>> Killing the specific smbd process serving the client restores the 
>> access (obviously creating a new process).
>> 
>> PCs don't get rebooted often (basically they are always on).
>> 
>> It takes days to happen again then. Is this related to some kerberos 
>> security?
> 
> Don't know, you haven't posted your smb.conf & krb5.conf files
> 

This is the file server configuration, just in case you can spot 
something wrong.
  (don't think krb5.conf is used)

smb.conf

[global]
    workgroup = DOMAIN
    realm = AD.DOMAIN.NET
    security = ads
    idmap config * : range = 16777216-33554431
    template shell = /sbin/nologin

    netbios name = srvfile1
    netbios aliases = srvfile
    reset on zero vc = yes

    server string =
    encrypt passwords = yes

    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes

    idmap config *:backend = tdb
    idmap config *:range = 10000-20000
    idmap config DOMAIN:backend = ad
    idamp config DOMAIN:schema_mode = rfc2307
    idmap config DOMAIN:range = 1000-40000

    winbind nss info = rfc2307
    winbind trusted domains only = no
    winbind use default domain = yes
    winbind enum users  = yes
    winbind enum groups = yes
    winbind offline logon = false

    store dos attributes = Yes
    create mask = 0770
    force create mode = 0770
    directory mask = 0770

[sharename]
   path = /home/SHARES/sharename
   read only = no

--------------------------------------------
krb5.conf

[logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  dns_lookup_realm = false
  ticket_lifetime = 24h
  renew_lifetime = 7d
  forwardable = true
  rdns = false
  default_ccache_name = KEYRING:persistent:%{uid}

[realms]
# EXAMPLE.COM = {
#  kdc = kerberos.example.com
#  admin_server = kerberos.example.com
# }

[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM