[Samba] After some time "denied due to share security descriptor"
L.P.H. van Belle
belle at bazuin.nl
Tue Sep 15 09:35:12 UTC 2015
Looks like something i saw here :
https://bbs.archlinux.org/viewtopic.php?id=180134
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Alessandro Briosi
> Verzonden: dinsdag 15 september 2015 11:22
> Aan: Rowland Penny
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] After some time "denied due to share security
> descriptor"
>
> Il 2015-09-15 10:32 Rowland Penny ha scritto:
> > On 15/09/15 08:34, Alessandro Briosi wrote:
> >> Hi all,
> >> I'm using samba 4.1.20 (from sernet) with 2 AD servers and 1 as file
> >> server.
> >
> > Yes, but on what OS ?
> >
> OS of AD is Centos 6, OS for file server is Centos 7
>
> >>
> >> It happens that after some time (days), some users report that they
> >> cannot access the shares on the file server any-more, and I find the
> >> following entries in the log file:
> >>
> >> STATUS=daemon 'smbd' finished starting up and ready to serve
> >> connectionsuser DOMAIN\pc-name$ connection to sharename denied due to
> >> share security descriptor.
> >> STATUS=daemon 'smbd' finished starting up and ready to serve
> >> connectionsuser DOMAIN\pc-name$ connection to sharename denied due to
> >> share security descriptor.
> >
> > Very good, but is there anything else in the log ?
> > Is there anything in the event log on the client ?
> >
>
> Not on the server, but on the client I found some messages about
> Netlogon, Lsarsa, and SPNEGO, thanks.
> I'll be checking more deeply on this. For now I have rejoined the PC to
> the domain, I'll see if this fixes it.
>
> >>
> >> Killing the specific smbd process serving the client restores the
> >> access (obviously creating a new process).
> >>
> >> PCs don't get rebooted often (basically they are always on).
> >>
> >> It takes days to happen again then. Is this related to some kerberos
> >> security?
> >
> > Don't know, you haven't posted your smb.conf & krb5.conf files
> >
>
> This is the file server configuration, just in case you can spot
> something wrong.
> (don't think krb5.conf is used)
>
> smb.conf
>
> [global]
> workgroup = DOMAIN
> realm = AD.DOMAIN.NET
> security = ads
> idmap config * : range = 16777216-33554431
> template shell = /sbin/nologin
>
> netbios name = srvfile1
> netbios aliases = srvfile
> reset on zero vc = yes
>
> server string =
> encrypt passwords = yes
>
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> idmap config *:backend = tdb
> idmap config *:range = 10000-20000
> idmap config DOMAIN:backend = ad
> idamp config DOMAIN:schema_mode = rfc2307
> idmap config DOMAIN:range = 1000-40000
>
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind offline logon = false
>
> store dos attributes = Yes
> create mask = 0770
> force create mode = 0770
> directory mask = 0770
>
> [sharename]
> path = /home/SHARES/sharename
> read only = no
>
> --------------------------------------------
> krb5.conf
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> dns_lookup_realm = false
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
> rdns = false
> default_ccache_name = KEYRING:persistent:%{uid}
>
> [realms]
> # EXAMPLE.COM = {
> # kdc = kerberos.example.com
> # admin_server = kerberos.example.com
> # }
>
> [domain_realm]
> # .example.com = EXAMPLE.COM
> # example.com = EXAMPLE.COM
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list