[Samba] ??: About error: 'Windows cannot access, you do not have permission to access'

Gaeseric Vandal gaiseric.vandal at gmail.com
Thu Dec 29 01:41:54 UTC 2016 

Does "pdbedit -Lv" show the users?


If this is a standalone server, do you need idmap entries ?  Presumably your ldap server also has your unix level accounts?

When you changed the backend, did you dump the users out of the local tdb database and reimport to LDAP?   I think the smbpasswd command can be used for some export and importing.   

Did you type "smbasswd -w" to set the ldap admin password?   If you did not, you should see an error message in a log file.

 

-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Chenyehua via samba
Sent: Wednesday, December 28, 2016 7:55 PM
To: 'Rowland Penny' <rpenny at samba.org>
Cc: samba at lists.samba.org
Subject: [Samba] 答复: About error: 'Windows cannot access, you do not have permission to access'

Thanks for your attention.
First, use local users at samba server, and client login success.

[global]
   workgroup = H3C ONESTOR
   server string = %h server (Samba NAS)
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 100000
   log level = 10
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   server role = standalone server
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   usershare max shares = 100
   usershare allow guests = yes
   clustering = yes
   ctdbd socket = /var/run/ctdb/ctdbd.socket
   max protocol = SMB2
   large readwrite = yes
   idmap config *:range = 1000000-1999999
   use sendfile = yes
   store dos attributes = yes
   acl_xattr:ignore system acls = yes
   aio read size = 1024
   oplocks = no
   deadtime = 10
   aio write behind = true
   socket options = TCP_NODELAY SO_RCVBUF=131072 SO_SNDBUF=131072
   vfs objects = acl_xattr
   load printers = no
   idmap config *:backend = tdb2
   security = user
   idmap config ROOT:range = 2000000-2999999
   idmap config ROOT:backend = rid
   restrict anonymous = 2

then,it changed to use LADP, and restart smbd, so that samba server close the connection.

[global]
   workgroup = H3C ONESTOR
   server string = %h server (Samba NAS)
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size =100000
   log level = 10
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   server role = standalone server
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   usershare max shares = 100
   usershare allow guests = yes
   clustering = yes
   ctdbd socket = /var/run/ctdb/ctdbd.socket
   max protocol = SMB2
   large readwrite = yes
   idmap config *:range = 1000000-1999999
   use sendfile = yes
   store dos attributes = yes
   acl_xattr:ignore system acls = yes
   aio read size = 1024
   oplocks = no
   deadtime = 10
   aio write behind = true
   socket options = TCP_NODELAY SO_RCVBUF=131072 SO_SNDBUF=131072
   vfs objects = acl_xattr
   load printers = no
   idmap config *:backend = tdb2
   security = user
   idmap config ROOT:range = 2000000-2999999
   idmap config ROOT:backend = rid
   restrict anonymous = 2
   passdb backend = ldapsam:ldap://xxx
   ldap admin dn = "xxx"
   ldap suffix = "xxx"
   ldap delete dn = no
   ldap ssl = off

Now,clent need to re-login because server has closed the connection. Then try to access samba and report error:' Windows cannot access, you do not have permission to access'
I reboot client but it still report this error.

-----邮件原件-----
发件人: samba [mailto:samba-bounces at lists.samba.org] 代表 Rowland Penny via samba
发送时间: 2016年12月27日 21:59
收件人: samba at lists.samba.org
主题: Re: [Samba] About error: 'Windows cannot access, you do not have permission to access'

On Tue, 27 Dec 2016 13:34:24 +0000
Chenyehua via samba <samba at lists.samba.org> wrote:

> HI
> I have a linux samba server and lists users at this server. and access 
> the folder from the windows7 client. Now i configure a LDAP sever and 
> let samba to use it . But I don’t want clients keeping the connection 
> because I have changed the authentication,clinets need to re-login. So 
> I restart smbd. and it works. Then,let clients reconnect to samba, but 
> it report errors: Windows cannot access \\xxxxxx<file:///\\xxxxxx> You 
> do not have permission to access \\xxxxx<file:///\\xxxxx>.... From 
> server’ log,  the client login with old user and password which saved 
> by last time success login. But why the client can’t tell the wrong 
> user or password,and it need to be re-login. From google,I know 
> restart service->workstation it can be useful to re-login.but it’s not 
> kind to user or client. Is there any helpful parameter in smb.comf to 
> avoid the errors and client can reconnect without any operations such 
> as restart workstation. Or someone can tell me why client report this 
> error.
>
> Hope someone help, Thanks!

I am sorry, but I think from the little amount of info you have given, it is virtually impossible to decide what is wrong. You will have to give us a lot more info, lets start with the smb.conf

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
-------------------------------------------------------------------------------------------------------------------------------------
本邮件及其附件含有杭州华三通信技术有限公司的保密信息,仅限于发送给上面地址中列出
的个人或群组。禁止任何其他人以任何形式使用(包括但不限于全部或部分地泄露、复制、
或散发)本邮件中的信息。如果您错收了本邮件,请您立即电话或邮件通知发件人并删除本
邮件!
This e-mail and its attachments contain confidential information from H3C, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended
recipient(s) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it!
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list