[Samba] unexplained 'access denied' for windows workstations
mj
lists at merit.unu.edu
Tue Jan 31 09:25:59 UTC 2017
Hi,
We are running a samba fileserver, access controlled using posix acl
(right 770, with users/groups on the filesystem level.
Therefore samba shares look like this:
[share]
path = /srv/academic
read only = no
writable = yes
create mask = 0770
directory mask = 0770
Now certain users complain that they cannot access certain folders, but
looking at the folders from the linux fileystem, their ownership is
identical. (let's say username:"domain users")
If on the fileserver I su to a problem user ('su username') and I check
group membership ('id') everything looks as expected, plus I CAN access
the folders.
So it seems it's samba that denies access, and there is no posix acl
issue. Looking at the samba logs, while the users gets an access denied,
I do not immediately see anything out of the ordinary:
> [2017/01/31 10:08:32.322315, 3] ../source3/smbd/dosmode.c:196(unix_mode)
> unix_mode(digicam pictures/events/PHD Defences) returning 0770
> [2017/01/31 10:08:32.322337, 3] ../source3/smbd/dosmode.c:196(unix_mode)
> unix_mode(digicam pictures/events/PHD Defences) returning 0760
> [2017/01/31 10:08:32.322387, 5] ../libcli/smb/smb2_signing.c:92(smb2_signing_sign_pdu)
> signed SMB2 message
> [2017/01/31 10:08:32.322903, 4] ../source3/smbd/uid.c:384(change_to_user)
> Skipping user change - already user
> [2017/01/31 10:08:32.322941, 5] ../lib/dbwrap/dbwrap.c:178(dbwrap_check_lock_order)
> check lock order 1 for /var/cache/samba/locking.tdb
> [2017/01/31 10:08:32.322990, 5] ../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor)
> release lock order 1 for /var/cache/samba/locking.tdb
> [2017/01/31 10:08:32.323013, 5] ../lib/dbwrap/dbwrap.c:178(dbwrap_check_lock_order)
> check lock order 1 for /var/cache/samba/smbXsrv_open_global.tdb
> [2017/01/31 10:08:32.323042, 5] ../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor)
> release lock order 1 for /var/cache/samba/smbXsrv_open_global.tdb
> [2017/01/31 10:08:32.323063, 5] ../source3/smbd/files.c:555(file_free)
> freed files structure 3826762416 (5 used)
> [2017/01/31 10:08:32.323092, 5] ../libcli/smb/smb2_signing.c:92(smb2_signing_sign_pdu)
> signed SMB2 message
> [2017/01/31 10:08:43.323568, 4] ../source3/smbd/sec_ctx.c:316(set_sec_ctx)
> setting sec ctx (5227, 513) - sec_ctx_stack_ndx = 0
> [2017/01/31 10:08:43.323612, 5] ../libcli/security/security_token.c:63(security_token_debug)
> Security token SIDs (45):
> SID[ 0]: S-1-22-1-5227
> SID[ 1]: S-1-22-2-513
> SID[ 2]: S-1-5-21-12345678-123456789-868425949-35723
> SID[ 3]: S-1-5-32-551
> SID[ 4]: S-1-5-21-12345678-123456789-868425949-54195
> SID[ 5]: S-1-22-2-5923
> SID[ 6]: S-1-22-2-512
> SID[ 7]: S-1-22-2-1074
> SID[ 8]: S-1-5-21-12345678-123456789-868425949-1427
> SID[ 9]: S-1-5-21-12345678-123456789-868425949-35793
> SID[ 10]: S-1-22-2-17376
> SID[ 11]: S-1-5-21-12345678-123456789-868425949-1066
> SID[ 12]: S-1-5-21-12345678-123456789-868425949-1074
> SID[ 13]: S-1-5-21-12345678-123456789-868425949-78605
> SID[ 14]: S-1-5-21-12345678-123456789-868425949-35751
> SID[ 15]: S-1-5-21-12345678-123456789-868425949-35755
> SID[ 16]: S-1-5-21-12345678-123456789-868425949-35801
> SID[ 17]: S-1-5-21-12345678-123456789-868425949-35733
> SID[ 18]: S-1-22-2-17372
> SID[ 19]: S-1-5-21-12345678-123456789-868425949-119399
> SID[ 20]: S-1-22-2-10003
> SID[ 21]: S-1-5-21-12345678-123456789-868425949-35771
> SID[ 22]: S-1-5-21-12345678-123456789-868425949-133266
> SID[ 23]: S-1-5-21-12345678-123456789-868425949-132320
> SID[ 24]: S-1-5-21-12345678-123456789-868425949-132355
> SID[ 25]: S-1-22-2-17361
> SID[ 26]: S-1-22-2-551
> SID[ 27]: S-1-22-2-26597
> SID[ 28]: S-1-22-2-1047
> SID[ 29]: S-1-22-2-17396
> SID[ 30]: S-1-22-2-1002
> SID[ 31]: S-1-22-2-1010
> SID[ 32]: S-1-22-2-38802
> SID[ 33]: S-1-22-2-17375
> SID[ 34]: S-1-22-2-17377
> SID[ 35]: S-1-22-2-17400
> SID[ 36]: S-1-22-2-17366
> SID[ 37]: S-1-22-2-59199
> SID[ 38]: S-1-22-2-17385
> SID[ 39]: S-1-22-2-10007
> SID[ 40]: S-1-22-2-10008
> SID[ 41]: S-1-22-2-10014
> SID[ 42]: S-1-1-0
> SID[ 43]: S-1-5-2
> SID[ 44]: S-1-5-11
> Privileges (0x 0):
> Rights (0x 0):
> [2017/01/31 10:08:43.323953, 5] ../source3/auth/token_util.c:639(debug_unix_user_token)
> UNIX token of user 5227
> Primary group is 513 and contains 24 supplementary groups
> Group[ 0]: 513
> Group[ 1]: 17361
> Group[ 2]: 551
> Group[ 3]: 26597
> Group[ 4]: 5923
> Group[ 5]: 512
> Group[ 6]: 1074
> Group[ 7]: 1047
> Group[ 8]: 17396
> Group[ 9]: 17376
> Group[ 10]: 1002
> Group[ 11]: 1010
> Group[ 12]: 38802
> Group[ 13]: 17375
> Group[ 14]: 17377
> Group[ 15]: 17400
> Group[ 16]: 17366
> Group[ 17]: 17372
> Group[ 18]: 59199
> Group[ 19]: 10003
> Group[ 20]: 17385
> Group[ 21]: 10007
> Group[ 22]: 10008
> Group[ 23]: 10014
> [2017/01/31 10:08:43.324094, 5] ../source3/smbd/uid.c:363(change_to_user_internal)
> Impersonated user: uid=(5227,5227), gid=(0,513)
> [2017/01/31 10:08:43.324115, 4] ../source3/smbd/vfs.c:858(vfs_ChDir)
> vfs_ChDir to /tmp
> [2017/01/31 10:08:43.324143, 4] ../source3/smbd/vfs.c:869(vfs_ChDir)
> vfs_ChDir got /tmp
> [2017/01/31 10:08:43.324160, 4] ../source3/smbd/sec_ctx.c:316(set_sec_ctx)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2017/01/31 10:08:43.324175, 5] ../libcli/security/security_token.c:53(security_token_debug)
> Security token: (NULL)
> [2017/01/31 10:08:43.324192, 5] ../source3/auth/token_util.c:639(debug_unix_user_token)
> UNIX token of user 0
> Primary group is 0 and contains 0 supplementary groups
> [2017/01/31 10:08:43.324217, 5] ../source3/smbd/uid.c:425(smbd_change_to_root_user)
> change_to_root_user: now uid=(0,0) gid=(0,0)
> [2017/01/31 10:08:43.324251, 4] ../source3/smbd/sec_ctx.c:316(set_sec_ctx)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2017/01/31 10:08:43.324269, 5] ../libcli/security/security_token.c:53(security_token_debug)
> Security token: (NULL)
> [2017/01/31 10:08:43.324284, 5] ../source3/auth/token_util.c:639(debug_unix_user_token)
> UNIX token of user 0
> Primary group is 0 and contains 0 supplementary groups
> [2017/01/31 10:08:43.324307, 5] ../source3/smbd/uid.c:425(smbd_change_to_root_user)
> change_to_root_user: now uid=(0,0) gid=(0,0)
> [2017/01/31 10:08:43.324324, 5] ../lib/dbwrap/dbwrap.c:178(dbwrap_check_lock_order)
> check lock order 1 for /var/cache/samba/smbXsrv_tcon_global.tdb
> [2017/01/31 10:08:43.324400, 5] ../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor)
> release lock order 1 for /var/cache/samba/smbXsrv_tcon_global.tdb
> [2017/01/31 10:08:43.324423, 4] ../source3/smbd/sec_ctx.c:316(set_sec_ctx)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2017/01/31 10:08:43.324441, 5] ../libcli/security/security_token.c:53(security_token_debug)
> Security token: (NULL)
> [2017/01/31 10:08:43.324455, 5] ../source3/auth/token_util.c:639(debug_unix_user_token)
> UNIX token of user 0
> Primary group is 0 and contains 0 supplementary groups
> [2017/01/31 10:08:43.324478, 5] ../source3/smbd/uid.c:425(smbd_change_to_root_user)
> change_to_root_user: now uid=(0,0) gid=(0,0)
> [2017/01/31 10:08:43.324501, 3] ../source3/smbd/service.c:1138(close_cnum)
> 192.87.143.126 (ipv4:192.87.143.126:50887) closed connection to service IPC$
> [2017/01/31 10:08:43.324528, 4] ../source3/smbd/vfs.c:858(vfs_ChDir)
> vfs_ChDir to /
> [2017/01/31 10:08:43.324552, 4] ../source3/smbd/vfs.c:869(vfs_ChDir)
> vfs_ChDir got /
> [2017/01/31 10:08:43.324571, 4] ../source3/smbd/sec_ctx.c:316(set_sec_ctx)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2017/01/31 10:08:43.324587, 5] ../libcli/security/security_token.c:53(security_token_debug)
> Security token: (NULL)
> [2017/01/31 10:08:43.324601, 5] ../source3/auth/token_util.c:639(debug_unix_user_token)
> UNIX token of user 0
> Primary group is 0 and contains 0 supplementary groups
> [2017/01/31 10:08:43.324623, 5] ../source3/smbd/uid.c:425(smbd_change_to_root_user)
> change_to_root_user: now uid=(0,0) gid=(0,0)
> [2017/01/31 10:08:43.324660, 5] ../libcli/smb/smb2_signing.c:92(smb2_signing_sign_pdu)
> signed SMB2 message
Anyone with an idea where to look..?
(fileserver running samba-4.2.11, debian wheezy)
MJ
More information about the samba
mailing list