[Samba] Samba 4.2 domain member fails to access files

Achim Gottinger achim at ag-web.biz
Mon Apr 25 20:52:11 UTC 2016

Can be you have a few wrong entries in /var/lib/samba/private/idmap.ldb. 
Look for the objectSID of the affected users and compare xid to the 
desired uid.
Also run "net cache flush" to get caching out of the way.


Am 25.04.2016 um 21:52 schrieb Andreas Schamanek:
> Hi everybody, 1 of 3 mostly identical domain members gives me
> NT_STATUS_ACCESS_DENIED and I fail to debug this. But what's even
> weirder is the workaround I found by chance.
> I got 4 servers, all running Debian's Samba 4.2.10. 1 is a classic NT4
> domain controller, the other 3 are joined as domain members. Their
> configuration is practically identical. The PDC uses an smbpasswd
> backend. No winbindd.
> Trying to list e.g. a user's home directory (or any other dir with
> permissions 0700) works on all members but the 3rd:
>    $ smbclient //member3/username -U username -W WORKGROUP
>    Enter username's password:
>    Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.2.10-Debian]
>    smb: \> ls
>    smb: \> quit
> When I open up a directory to e.g. 0777 I can create/upload a file
> which has the correct credentials, though if `create mask = 0600` the
> file cannot be read.
> I raised the log level to 10 and I compared the log with one from a
> member where it works. It seems like Samba silently errors out. Also,
> NT_STATUS_ACCESS_DENIED does not show up in the log. How can I debug
> this further?
> There's 1 (too?) obvious major difference: member3 (which denies
> access) is running Debian 8 with systemd. The others are still running
> Debian 7 with SysV init. But I fail to see how this could be the
> culprit.
> The weird workaround is the following: I generate a pseudo smbpasswd
> on member3 e.g. with
>    $3>499 {print $1":"$3 X X ":[U          ]:LCT-XXXXXXXX:"}' \
>    /etc/passwd >/etc/samba/smbpasswd.pseudo
> This puts my users (uid > 499) with no passwords in smbpasswd.pseudo.
> Then I add `passdb backend = smbpasswd:/etc/samba/smbpasswd.pseudo` to
> smb.conf and users can access their data just fine. Authentication is
> still done via the PDC.
> Apparently, there's a problem with mapping UIDs or SID to UID, but
> why? I double-checked system settings, mount options, acl, xattr, obey
> pam restrictions. I tried `username map script = /bin/echo` and
> `username map` to no avail.

More information about the samba mailing list