[Samba] NT_STATUS_ACCESS_DENIED listing \* on Samba AD - out of the blue
Sebastian Arcus
s.arcus at open-t.co.uk
Mon Mar 12 11:36:47 UTC 2018
On 12/03/18 11:28, Rowland Penny via samba wrote:
> On Mon, 12 Mar 2018 11:11:44 +0000
> Sebastian Arcus via samba <samba at lists.samba.org> wrote:
>
>> I have a Samba AD running Samba 4.7.5. Everything was working fine,
>> when, seemingly out of the blue, the users started to be denied
>> access to all shares. If I try from a Windows 7 or Windows 10
>> machine, logged in as a user in "Domain Uses", I get:
>>
>> "Windows cannot access \\server-name\share_name. You do not have
>> permission to access \\server-name\share_name"
>>
>> If I use smbclient, it allows me to login on the share, but if I do
>> 'ls', I get:
>>
>> smb: \> ls
>> NT_STATUS_ACCESS_DENIED listing \*
>>
>> I have tried the following:
>>
>> 1. The Domain admin can still access the shares - both from smbclient
>> and from Windows machines.
>>
>> 2. I have checked the acl's on the server, they look ok:
>>
>> # getfacl share_name/
>> # file: clients/
>> # owner: root
>> # group: MYDOMAIN\134domain\040users
>> user::rwx
>> group::rwx
>> group:MYDOMAIN\134domain\040users:rwx
>> mask::rwx
>> other::rwx
>> default:user::rwx
>> default:group::rwx
>> default:group:MYDOMAIN\134domain\040users:rwx
>> default:mask::rwx
>> default:other::---
>>
>> 3. "wbinfo -g" and "wbinfo -u" work correctly
>>
>> 4. Kerberos tests work correctly
>>
>> 5. There are no errors in the Bind/dns configuration
>>
>> 6. I have logged in through Windows and reset the permissions there
>> to allow "Domain Users" on the share
>>
>> 7. All my smb.conf shares look like this:
>>
>> [share_name]
>> path = /srv/samba/share_name
>> read only = No
>> inherit acls = yes
>>
>>
>> I am at a loss how "Domain Users" is denied access to the share, when
>> everything appears to be fine. Any suggestions much appreciated!
>>
>
> Can you post your entire smb.conf (as on disk)
Hi Rowland. Please find the smb.conf below:
# Global parameters
[global]
netbios name = HEBU-SERVER
realm = HEBU.LAN
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
workgroup = HEBU
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
bind interfaces only = Yes
interfaces = lo br0 tun0
log file = /var/log/samba/%m.log
#cap log file
max log size = 1000
mangling method = hash2
mangle prefix = 6
reset on zero vc = Yes
deadtime = 10
load printers = yes
rpc_server:spoolss = external
rpc_daemon:spoolssd = fork
spoolss: architecture = Windows x64
[netlogon]
path = /var/lib/samba/sysvol/hebu.lan/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[printers]
path = /var/spool/samba
printable = yes
printing = cups
cups options = raw
[print$]
path = /var/lib/samba/printers
read only = no
[admin]
path = /srv/samba/admin
read only = No
inherit acls = yes
####################################
# Recycle bin options
vfs objects = recycle
recycle:repository = Recycle.Bin
recycle:directory_mode = 0770
recycle:subdir_mode = 0770
recycle:exclude =
*.tmp,*.temp,*.o,*.obj,~$*,*.~??,~*.*,*.TMP,*.TEMP,lock.*,.~lock.*,LOCK.*,*.lock,*.~lock,*.LNK,*.lnk,*.ldb
recycle:versions = Yes
recycle:touch_mtime = Yes
recycle:keeptree = No
recycle:minsize = 1
[clients]
path = /srv/samba/clients
read only = No
inherit acls = yes
####################################
# Recycle bin options
vfs objects = recycle
recycle:repository = Recycle.Bin
recycle:directory_mode = 0770
recycle:subdir_mode = 0770
recycle:exclude =
*.tmp,*.temp,*.o,*.obj,~$*,*.~??,~*.*,*.TMP,*.TEMP,lock.*,.~lock.*,LOCK.*,*.lock,*.~lock,*.LNK,*.lnk,*.ldb
recycle:versions = Yes
recycle:touch_mtime = Yes
recycle:keeptree = No
recycle:minsize = 1
More information about the samba
mailing list