[Samba] Samba 4.2 domain member fails to access files
Andreas Schamanek
schamane at fam.tuwien.ac.at
Mon Apr 25 19:52:35 UTC 2016
Hi everybody, 1 of 3 mostly identical domain members gives me
NT_STATUS_ACCESS_DENIED and I fail to debug this. But what's even
weirder is the workaround I found by chance.
I got 4 servers, all running Debian's Samba 4.2.10. 1 is a classic NT4
domain controller, the other 3 are joined as domain members. Their
configuration is practically identical. The PDC uses an smbpasswd
backend. No winbindd.
Trying to list e.g. a user's home directory (or any other dir with
permissions 0700) works on all members but the 3rd:
$ smbclient //member3/username -U username -W WORKGROUP
Enter username's password:
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.2.10-Debian]
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
smb: \> quit
When I open up a directory to e.g. 0777 I can create/upload a file
which has the correct credentials, though if `create mask = 0600` the
file cannot be read.
I raised the log level to 10 and I compared the log with one from a
member where it works. It seems like Samba silently errors out. Also,
NT_STATUS_ACCESS_DENIED does not show up in the log. How can I debug
this further?
There's 1 (too?) obvious major difference: member3 (which denies
access) is running Debian 8 with systemd. The others are still running
Debian 7 with SysV init. But I fail to see how this could be the
culprit.
The weird workaround is the following: I generate a pseudo smbpasswd
on member3 e.g. with
awk -F: '{X=":XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"}
$3>499 {print $1":"$3 X X ":[U ]:LCT-XXXXXXXX:"}' \
/etc/passwd >/etc/samba/smbpasswd.pseudo
This puts my users (uid > 499) with no passwords in smbpasswd.pseudo.
Then I add `passdb backend = smbpasswd:/etc/samba/smbpasswd.pseudo` to
smb.conf and users can access their data just fine. Authentication is
still done via the PDC.
Apparently, there's a problem with mapping UIDs or SID to UID, but
why? I double-checked system settings, mount options, acl, xattr, obey
pam restrictions. I tried `username map script = /bin/echo` and
`username map` to no avail.
--
-- Andreas
:-]
More information about the samba
mailing list