[Samba] Samba 4.2 domain member fails to access files

Mon Apr 25 20:52:11 UTC 2016

Can be you have a few wrong entries in /var/lib/samba/private/idmap.ldb. 
Look for the objectSID of the affected users and compare xid to the 
desired uid.
Also run "net cache flush" to get caching out of the way.

achim~

Am 25.04.2016 um 21:52 schrieb Andreas Schamanek:
> Hi everybody, 1 of 3 mostly identical domain members gives me
> NT_STATUS_ACCESS_DENIED and I fail to debug this. But what's even
> weirder is the workaround I found by chance.
>
> I got 4 servers, all running Debian's Samba 4.2.10. 1 is a classic NT4
> domain controller, the other 3 are joined as domain members. Their
> configuration is practically identical. The PDC uses an smbpasswd
> backend. No winbindd.
>
> Trying to list e.g. a user's home directory (or any other dir with
> permissions 0700) works on all members but the 3rd:
>
>    $ smbclient //member3/username -U username -W WORKGROUP
>    Enter username's password:
>    Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.2.10-Debian]
>    smb: \> ls
>    NT_STATUS_ACCESS_DENIED listing \*
>    smb: \> quit
>
> When I open up a directory to e.g. 0777 I can create/upload a file
> which has the correct credentials, though if `create mask = 0600` the
> file cannot be read.
>
> I raised the log level to 10 and I compared the log with one from a
> member where it works. It seems like Samba silently errors out. Also,
> NT_STATUS_ACCESS_DENIED does not show up in the log. How can I debug
> this further?
>
> There's 1 (too?) obvious major difference: member3 (which denies
> access) is running Debian 8 with systemd. The others are still running
> Debian 7 with SysV init. But I fail to see how this could be the
> culprit.
>
> The weird workaround is the following: I generate a pseudo smbpasswd
> on member3 e.g. with
>    awk -F: '{X=":XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"}
>    $3>499 {print $1":"$3 X X ":[U          ]:LCT-XXXXXXXX:"}' \
>    /etc/passwd >/etc/samba/smbpasswd.pseudo
>
> This puts my users (uid > 499) with no passwords in smbpasswd.pseudo.
> Then I add `passdb backend = smbpasswd:/etc/samba/smbpasswd.pseudo` to
> smb.conf and users can access their data just fine. Authentication is
> still done via the PDC.
>
> Apparently, there's a problem with mapping UIDs or SID to UID, but
> why? I double-checked system settings, mount options, acl, xattr, obey
> pam restrictions. I tried `username map script = /bin/echo` and
> `username map` to no avail.
>