[Samba] Samba 4.2 domain member fails to access files

Andreas Schamanek schamane at fam.tuwien.ac.at
Mon Apr 25 19:52:35 UTC 2016

Hi everybody, 1 of 3 mostly identical domain members gives me 
NT_STATUS_ACCESS_DENIED and I fail to debug this. But what's even 
weirder is the workaround I found by chance.

I got 4 servers, all running Debian's Samba 4.2.10. 1 is a classic NT4 
domain controller, the other 3 are joined as domain members. Their 
configuration is practically identical. The PDC uses an smbpasswd 
backend. No winbindd.

Trying to list e.g. a user's home directory (or any other dir with 
permissions 0700) works on all members but the 3rd:

  $ smbclient //member3/username -U username -W WORKGROUP
  Enter username's password: 
  Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.2.10-Debian]
  smb: \> ls
  smb: \> quit

When I open up a directory to e.g. 0777 I can create/upload a file 
which has the correct credentials, though if `create mask = 0600` the 
file cannot be read.

I raised the log level to 10 and I compared the log with one from a 
member where it works. It seems like Samba silently errors out. Also, 
NT_STATUS_ACCESS_DENIED does not show up in the log. How can I debug 
this further?

There's 1 (too?) obvious major difference: member3 (which denies 
access) is running Debian 8 with systemd. The others are still running 
Debian 7 with SysV init. But I fail to see how this could be the 

The weird workaround is the following: I generate a pseudo smbpasswd 
on member3 e.g. with
  $3>499 {print $1":"$3 X X ":[U          ]:LCT-XXXXXXXX:"}' \
  /etc/passwd >/etc/samba/smbpasswd.pseudo

This puts my users (uid > 499) with no passwords in smbpasswd.pseudo. 
Then I add `passdb backend = smbpasswd:/etc/samba/smbpasswd.pseudo` to 
smb.conf and users can access their data just fine. Authentication is 
still done via the PDC.

Apparently, there's a problem with mapping UIDs or SID to UID, but 
why? I double-checked system settings, mount options, acl, xattr, obey 
pam restrictions. I tried `username map script = /bin/echo` and 
`username map` to no avail.

-- Andreas


More information about the samba mailing list