[Samba] unexplained 'access denied' for windows workstations
lists
lists at merit.unu.edu
Tue Jan 31 12:12:28 UTC 2017
Hi,
Even though the user had already rebooted this morning, another reboot
seems to have solved this issue.
MJ
On 31-1-2017 10:25, mj via samba wrote:
> Hi,
>
> We are running a samba fileserver, access controlled using posix acl
> (right 770, with users/groups on the filesystem level.
>
> Therefore samba shares look like this:
>
> [share]
> path = /srv/academic
> read only = no
> writable = yes
> create mask = 0770
> directory mask = 0770
>
> Now certain users complain that they cannot access certain folders, but
> looking at the folders from the linux fileystem, their ownership is
> identical. (let's say username:"domain users")
>
> If on the fileserver I su to a problem user ('su username') and I check
> group membership ('id') everything looks as expected, plus I CAN access
> the folders.
>
> So it seems it's samba that denies access, and there is no posix acl
> issue. Looking at the samba logs, while the users gets an access denied,
> I do not immediately see anything out of the ordinary:
>
>> [2017/01/31 10:08:32.322315, 3] ../source3/smbd/dosmode.c:196(unix_mode)
>> unix_mode(digicam pictures/events/PHD Defences) returning 0770
>> [2017/01/31 10:08:32.322337, 3] ../source3/smbd/dosmode.c:196(unix_mode)
>> unix_mode(digicam pictures/events/PHD Defences) returning 0760
>> [2017/01/31 10:08:32.322387, 5]
>> ../libcli/smb/smb2_signing.c:92(smb2_signing_sign_pdu)
>> signed SMB2 message
>> [2017/01/31 10:08:32.322903, 4]
>> ../source3/smbd/uid.c:384(change_to_user)
>> Skipping user change - already user
>> [2017/01/31 10:08:32.322941, 5]
>> ../lib/dbwrap/dbwrap.c:178(dbwrap_check_lock_order)
>> check lock order 1 for /var/cache/samba/locking.tdb
>> [2017/01/31 10:08:32.322990, 5]
>> ../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor)
>> release lock order 1 for /var/cache/samba/locking.tdb
>> [2017/01/31 10:08:32.323013, 5]
>> ../lib/dbwrap/dbwrap.c:178(dbwrap_check_lock_order)
>> check lock order 1 for /var/cache/samba/smbXsrv_open_global.tdb
>> [2017/01/31 10:08:32.323042, 5]
>> ../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor)
>> release lock order 1 for /var/cache/samba/smbXsrv_open_global.tdb
>> [2017/01/31 10:08:32.323063, 5] ../source3/smbd/files.c:555(file_free)
>> freed files structure 3826762416 (5 used)
>> [2017/01/31 10:08:32.323092, 5]
>> ../libcli/smb/smb2_signing.c:92(smb2_signing_sign_pdu)
>> signed SMB2 message
>> [2017/01/31 10:08:43.323568, 4]
>> ../source3/smbd/sec_ctx.c:316(set_sec_ctx)
>> setting sec ctx (5227, 513) - sec_ctx_stack_ndx = 0
>> [2017/01/31 10:08:43.323612, 5]
>> ../libcli/security/security_token.c:63(security_token_debug)
>> Security token SIDs (45):
>> SID[ 0]: S-1-22-1-5227
>> SID[ 1]: S-1-22-2-513
>> SID[ 2]: S-1-5-21-12345678-123456789-868425949-35723
>> SID[ 3]: S-1-5-32-551
>> SID[ 4]: S-1-5-21-12345678-123456789-868425949-54195
>> SID[ 5]: S-1-22-2-5923
>> SID[ 6]: S-1-22-2-512
>> SID[ 7]: S-1-22-2-1074
>> SID[ 8]: S-1-5-21-12345678-123456789-868425949-1427
>> SID[ 9]: S-1-5-21-12345678-123456789-868425949-35793
>> SID[ 10]: S-1-22-2-17376
>> SID[ 11]: S-1-5-21-12345678-123456789-868425949-1066
>> SID[ 12]: S-1-5-21-12345678-123456789-868425949-1074
>> SID[ 13]: S-1-5-21-12345678-123456789-868425949-78605
>> SID[ 14]: S-1-5-21-12345678-123456789-868425949-35751
>> SID[ 15]: S-1-5-21-12345678-123456789-868425949-35755
>> SID[ 16]: S-1-5-21-12345678-123456789-868425949-35801
>> SID[ 17]: S-1-5-21-12345678-123456789-868425949-35733
>> SID[ 18]: S-1-22-2-17372
>> SID[ 19]: S-1-5-21-12345678-123456789-868425949-119399
>> SID[ 20]: S-1-22-2-10003
>> SID[ 21]: S-1-5-21-12345678-123456789-868425949-35771
>> SID[ 22]: S-1-5-21-12345678-123456789-868425949-133266
>> SID[ 23]: S-1-5-21-12345678-123456789-868425949-132320
>> SID[ 24]: S-1-5-21-12345678-123456789-868425949-132355
>> SID[ 25]: S-1-22-2-17361
>> SID[ 26]: S-1-22-2-551
>> SID[ 27]: S-1-22-2-26597
>> SID[ 28]: S-1-22-2-1047
>> SID[ 29]: S-1-22-2-17396
>> SID[ 30]: S-1-22-2-1002
>> SID[ 31]: S-1-22-2-1010
>> SID[ 32]: S-1-22-2-38802
>> SID[ 33]: S-1-22-2-17375
>> SID[ 34]: S-1-22-2-17377
>> SID[ 35]: S-1-22-2-17400
>> SID[ 36]: S-1-22-2-17366
>> SID[ 37]: S-1-22-2-59199
>> SID[ 38]: S-1-22-2-17385
>> SID[ 39]: S-1-22-2-10007
>> SID[ 40]: S-1-22-2-10008
>> SID[ 41]: S-1-22-2-10014
>> SID[ 42]: S-1-1-0
>> SID[ 43]: S-1-5-2
>> SID[ 44]: S-1-5-11
>> Privileges (0x 0):
>> Rights (0x 0):
>> [2017/01/31 10:08:43.323953, 5]
>> ../source3/auth/token_util.c:639(debug_unix_user_token)
>> UNIX token of user 5227
>> Primary group is 513 and contains 24 supplementary groups
>> Group[ 0]: 513
>> Group[ 1]: 17361
>> Group[ 2]: 551
>> Group[ 3]: 26597
>> Group[ 4]: 5923
>> Group[ 5]: 512
>> Group[ 6]: 1074
>> Group[ 7]: 1047
>> Group[ 8]: 17396
>> Group[ 9]: 17376
>> Group[ 10]: 1002
>> Group[ 11]: 1010
>> Group[ 12]: 38802
>> Group[ 13]: 17375
>> Group[ 14]: 17377
>> Group[ 15]: 17400
>> Group[ 16]: 17366
>> Group[ 17]: 17372
>> Group[ 18]: 59199
>> Group[ 19]: 10003
>> Group[ 20]: 17385
>> Group[ 21]: 10007
>> Group[ 22]: 10008
>> Group[ 23]: 10014
>> [2017/01/31 10:08:43.324094, 5]
>> ../source3/smbd/uid.c:363(change_to_user_internal)
>> Impersonated user: uid=(5227,5227), gid=(0,513)
>> [2017/01/31 10:08:43.324115, 4] ../source3/smbd/vfs.c:858(vfs_ChDir)
>> vfs_ChDir to /tmp
>> [2017/01/31 10:08:43.324143, 4] ../source3/smbd/vfs.c:869(vfs_ChDir)
>> vfs_ChDir got /tmp
>> [2017/01/31 10:08:43.324160, 4]
>> ../source3/smbd/sec_ctx.c:316(set_sec_ctx)
>> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>> [2017/01/31 10:08:43.324175, 5]
>> ../libcli/security/security_token.c:53(security_token_debug)
>> Security token: (NULL)
>> [2017/01/31 10:08:43.324192, 5]
>> ../source3/auth/token_util.c:639(debug_unix_user_token)
>> UNIX token of user 0
>> Primary group is 0 and contains 0 supplementary groups
>> [2017/01/31 10:08:43.324217, 5]
>> ../source3/smbd/uid.c:425(smbd_change_to_root_user)
>> change_to_root_user: now uid=(0,0) gid=(0,0)
>> [2017/01/31 10:08:43.324251, 4]
>> ../source3/smbd/sec_ctx.c:316(set_sec_ctx)
>> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>> [2017/01/31 10:08:43.324269, 5]
>> ../libcli/security/security_token.c:53(security_token_debug)
>> Security token: (NULL)
>> [2017/01/31 10:08:43.324284, 5]
>> ../source3/auth/token_util.c:639(debug_unix_user_token)
>> UNIX token of user 0
>> Primary group is 0 and contains 0 supplementary groups
>> [2017/01/31 10:08:43.324307, 5]
>> ../source3/smbd/uid.c:425(smbd_change_to_root_user)
>> change_to_root_user: now uid=(0,0) gid=(0,0)
>> [2017/01/31 10:08:43.324324, 5]
>> ../lib/dbwrap/dbwrap.c:178(dbwrap_check_lock_order)
>> check lock order 1 for /var/cache/samba/smbXsrv_tcon_global.tdb
>> [2017/01/31 10:08:43.324400, 5]
>> ../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor)
>> release lock order 1 for /var/cache/samba/smbXsrv_tcon_global.tdb
>> [2017/01/31 10:08:43.324423, 4]
>> ../source3/smbd/sec_ctx.c:316(set_sec_ctx)
>> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>> [2017/01/31 10:08:43.324441, 5]
>> ../libcli/security/security_token.c:53(security_token_debug)
>> Security token: (NULL)
>> [2017/01/31 10:08:43.324455, 5]
>> ../source3/auth/token_util.c:639(debug_unix_user_token)
>> UNIX token of user 0
>> Primary group is 0 and contains 0 supplementary groups
>> [2017/01/31 10:08:43.324478, 5]
>> ../source3/smbd/uid.c:425(smbd_change_to_root_user)
>> change_to_root_user: now uid=(0,0) gid=(0,0)
>> [2017/01/31 10:08:43.324501, 3]
>> ../source3/smbd/service.c:1138(close_cnum)
>> 192.87.143.126 (ipv4:192.87.143.126:50887) closed connection to
>> service IPC$
>> [2017/01/31 10:08:43.324528, 4] ../source3/smbd/vfs.c:858(vfs_ChDir)
>> vfs_ChDir to /
>> [2017/01/31 10:08:43.324552, 4] ../source3/smbd/vfs.c:869(vfs_ChDir)
>> vfs_ChDir got /
>> [2017/01/31 10:08:43.324571, 4]
>> ../source3/smbd/sec_ctx.c:316(set_sec_ctx)
>> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>> [2017/01/31 10:08:43.324587, 5]
>> ../libcli/security/security_token.c:53(security_token_debug)
>> Security token: (NULL)
>> [2017/01/31 10:08:43.324601, 5]
>> ../source3/auth/token_util.c:639(debug_unix_user_token)
>> UNIX token of user 0
>> Primary group is 0 and contains 0 supplementary groups
>> [2017/01/31 10:08:43.324623, 5]
>> ../source3/smbd/uid.c:425(smbd_change_to_root_user)
>> change_to_root_user: now uid=(0,0) gid=(0,0)
>> [2017/01/31 10:08:43.324660, 5]
>> ../libcli/smb/smb2_signing.c:92(smb2_signing_sign_pdu)
>> signed SMB2 message
>
> Anyone with an idea where to look..?
>
> (fileserver running samba-4.2.11, debian wheezy)
>
> MJ
>
More information about the samba
mailing list