[Samba] NT_STATUS_ACCESS_DENIED listing \* on Samba AD - out of the blue
Sebastian Arcus
s.arcus at open-t.co.uk
Mon Mar 12 11:11:44 UTC 2018
I have a Samba AD running Samba 4.7.5. Everything was working fine,
when, seemingly out of the blue, the users started to be denied access
to all shares. If I try from a Windows 7 or Windows 10 machine, logged
in as a user in "Domain Uses", I get:
"Windows cannot access \\server-name\share_name. You do not have
permission to access \\server-name\share_name"
If I use smbclient, it allows me to login on the share, but if I do
'ls', I get:
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
I have tried the following:
1. The Domain admin can still access the shares - both from smbclient
and from Windows machines.
2. I have checked the acl's on the server, they look ok:
# getfacl share_name/
# file: clients/
# owner: root
# group: MYDOMAIN\134domain\040users
user::rwx
group::rwx
group:MYDOMAIN\134domain\040users:rwx
mask::rwx
other::rwx
default:user::rwx
default:group::rwx
default:group:MYDOMAIN\134domain\040users:rwx
default:mask::rwx
default:other::---
3. "wbinfo -g" and "wbinfo -u" work correctly
4. Kerberos tests work correctly
5. There are no errors in the Bind/dns configuration
6. I have logged in through Windows and reset the permissions there to
allow "Domain Users" on the share
7. All my smb.conf shares look like this:
[share_name]
path = /srv/samba/share_name
read only = No
inherit acls = yes
I am at a loss how "Domain Users" is denied access to the share, when
everything appears to be fine. Any suggestions much appreciated!
More information about the samba
mailing list