[Samba] NT_STATUS_ACCESS_DENIED listing \* on Samba AD - out of the blue

Sebastian Arcus s.arcus at open-t.co.uk
Mon Mar 12 11:11:44 UTC 2018


I have a Samba AD running Samba 4.7.5. Everything was working fine, 
when, seemingly out of the blue, the users started to be denied access 
to all shares. If I try from a Windows 7 or Windows 10 machine, logged 
in as a user in "Domain Uses", I get:

"Windows cannot access \\server-name\share_name. You do not have 
permission to access \\server-name\share_name"

If I use smbclient, it allows me to login on the share, but if I do 
'ls', I get:

smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*

I have tried the following:

1. The Domain admin can still access the shares - both from smbclient 
and from Windows machines.

2. I have checked the acl's on the server, they look ok:

# getfacl share_name/
# file: clients/
# owner: root
# group: MYDOMAIN\134domain\040users
user::rwx
group::rwx
group:MYDOMAIN\134domain\040users:rwx
mask::rwx
other::rwx
default:user::rwx
default:group::rwx
default:group:MYDOMAIN\134domain\040users:rwx
default:mask::rwx
default:other::---

3. "wbinfo -g" and "wbinfo -u" work correctly

4. Kerberos tests work correctly

5. There are no errors in the Bind/dns configuration

6. I have logged in through Windows and reset the permissions there to 
allow "Domain Users" on the share

7. All my smb.conf shares look like this:

[share_name]
path = /srv/samba/share_name
read only = No
inherit acls = yes


I am at a loss how "Domain Users" is denied access to the share, when 
everything appears to be fine. Any suggestions much appreciated!



More information about the samba mailing list