[Samba] After some time "denied due to share security descriptor"
Rowland Penny
rowlandpenny241155 at gmail.com
Tue Sep 15 09:49:27 UTC 2015
On 15/09/15 10:22, Alessandro Briosi wrote:
> Il 2015-09-15 10:32 Rowland Penny ha scritto:
>> On 15/09/15 08:34, Alessandro Briosi wrote:
>>> Hi all,
>>> I'm using samba 4.1.20 (from sernet) with 2 AD servers and 1 as file
>>> server.
>>
>> Yes, but on what OS ?
>>
> OS of AD is Centos 6, OS for file server is Centos 7
>
>>>
>>> It happens that after some time (days), some users report that they
>>> cannot access the shares on the file server any-more, and I find the
>>> following entries in the log file:
>>>
>>> STATUS=daemon 'smbd' finished starting up and ready to serve
>>> connectionsuser DOMAIN\pc-name$ connection to sharename denied due
>>> to share security descriptor.
>>> STATUS=daemon 'smbd' finished starting up and ready to serve
>>> connectionsuser DOMAIN\pc-name$ connection to sharename denied due
>>> to share security descriptor.
>>
>> Very good, but is there anything else in the log ?
>> Is there anything in the event log on the client ?
>>
>
> Not on the server, but on the client I found some messages about
> Netlogon, Lsarsa, and SPNEGO, thanks.
> I'll be checking more deeply on this. For now I have rejoined the PC
> to the domain, I'll see if this fixes it.
>
>>>
>>> Killing the specific smbd process serving the client restores the
>>> access (obviously creating a new process).
>>>
>>> PCs don't get rebooted often (basically they are always on).
>>>
>>> It takes days to happen again then. Is this related to some kerberos
>>> security?
>>
>> Don't know, you haven't posted your smb.conf & krb5.conf files
>>
>
> This is the file server configuration, just in case you can spot
> something wrong.
> (don't think krb5.conf is used)
OH yes it is!
>
> smb.conf
>
> [global]
> workgroup = DOMAIN
> realm = AD.DOMAIN.NET
> security = ads
> idmap config * : range = 16777216-33554431
> template shell = /sbin/nologin
>
> netbios name = srvfile1
> netbios aliases = srvfile
> reset on zero vc = yes
>
> server string =
> encrypt passwords = yes
>
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> idmap config *:backend = tdb
> idmap config *:range = 10000-20000
> idmap config DOMAIN:backend = ad
> idamp config DOMAIN:schema_mode = rfc2307
> idmap config DOMAIN:range = 1000-40000
>
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind offline logon = false
>
> store dos attributes = Yes
> create mask = 0770
> force create mode = 0770
> directory mask = 0770
>
> [sharename]
> path = /home/SHARES/sharename
> read only = no
>
OK, this:
idmap config * : range = 16777216-33554431
Conflicts with this:
idmap config *:range = 10000-20000
And the above is inside this:
idmap config DOMAIN:range = 1000-40000
sssd running? if not, remove the top line and adjust the other two so
they do not overlap.
I would also add the following two lines:
vfs objects = acl_xattr
map acl inherit = Yes
> --------------------------------------------
> krb5.conf
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> dns_lookup_realm = false
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
> rdns = false
> default_ccache_name = KEYRING:persistent:%{uid}
>
> [realms]
> # EXAMPLE.COM = {
> # kdc = kerberos.example.com
> # admin_server = kerberos.example.com
> # }
>
> [domain_realm]
> # .example.com = EXAMPLE.COM
> # example.com = EXAMPLE.COM
>
Set krb5.conf to:
[libdefaults]
default_realm = AD.DOMAIN.NET
dns_lookup_realm = false
dns_lookup_kdc = true
Rowland
More information about the samba
mailing list