[Samba] NT_STATUS_ACCESS_DENIED listing \* on Samba AD - out of the blue

Sebastian Arcus s.arcus at open-t.co.uk
Mon Mar 12 13:17:19 UTC 2018


On 12/03/18 12:56, Rowland Penny via samba wrote:
> On Mon, 12 Mar 2018 11:36:47 +0000
> Sebastian Arcus via samba <samba at lists.samba.org> wrote:
> 
>>
>> On 12/03/18 11:28, Rowland Penny via samba wrote:
>>> On Mon, 12 Mar 2018 11:11:44 +0000
>>> Sebastian Arcus via samba <samba at lists.samba.org> wrote:
>>>
>>>> I have a Samba AD running Samba 4.7.5. Everything was working fine,
>>>> when, seemingly out of the blue, the users started to be denied
>>>> access to all shares. If I try from a Windows 7 or Windows 10
>>>> machine, logged in as a user in "Domain Uses", I get:
>>>>
>>>> "Windows cannot access \\server-name\share_name. You do not have
>>>> permission to access \\server-name\share_name"
>>>>
>>>> If I use smbclient, it allows me to login on the share, but if I do
>>>> 'ls', I get:
>>>>
>>>> smb: \> ls
>>>> NT_STATUS_ACCESS_DENIED listing \*
>>>>
>>>> I have tried the following:
>>>>
>>>> 1. The Domain admin can still access the shares - both from
>>>> smbclient and from Windows machines.
>>>>
>>>> 2. I have checked the acl's on the server, they look ok:
>>>>
>>>> # getfacl share_name/
>>>> # file: clients/
>>>> # owner: root
>>>> # group: MYDOMAIN\134domain\040users
>>>> user::rwx
>>>> group::rwx
>>>> group:MYDOMAIN\134domain\040users:rwx
>>>> mask::rwx
>>>> other::rwx
>>>> default:user::rwx
>>>> default:group::rwx
>>>> default:group:MYDOMAIN\134domain\040users:rwx
>>>> default:mask::rwx
>>>> default:other::---
>>>>
>>>> 3. "wbinfo -g" and "wbinfo -u" work correctly
>>>>
>>>> 4. Kerberos tests work correctly
>>>>
>>>> 5. There are no errors in the Bind/dns configuration
>>>>
>>>> 6. I have logged in through Windows and reset the permissions there
>>>> to allow "Domain Users" on the share
>>>>
>>>> 7. All my smb.conf shares look like this:
>>>>
>>>> [share_name]
>>>> path = /srv/samba/share_name
>>>> read only = No
>>>> inherit acls = yes
>>>>
>>>>
>>>> I am at a loss how "Domain Users" is denied access to the share,
>>>> when everything appears to be fine. Any suggestions much
>>>> appreciated!
>>>>
>>>
>>> Can you post your entire smb.conf (as on disk)
>>
>>
>> Hi Rowland. Please find the smb.conf below:
>>
>>
>> # Global parameters
>> [global]
>>           netbios name = HEBU-SERVER
>>           realm = HEBU.LAN
>>           server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>>           workgroup = HEBU
>>           server role = active directory domain controller
>>           idmap_ldb:use rfc2307 = yes
>>
>>           bind interfaces only = Yes
>>           interfaces = lo br0 tun0
>>
> 
> There are few default settings there, but nothing really wrong except
> for 'inherit acls = yes'. You cannot use things like this on DC, you
> need to set the permissions from windows, see here:

I actually added 'inherit acls = yes' after the problem started, just in 
case. I used the second link below to set the permissions from Windows - 
adding 'Domain Users' to the list (when logged in as the domain 
Administrator - which it let me). But I still can't access them using 
any other domain user. I just discovered that even if I add users to the 
'Domain Admins' group, they are still not allowed to access the shares.

> 
> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Using_the_Domain_Controller_as_a_File_Server
> 
> and:
> 
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> 
> I don't think this is your main problem though, did the problem start
> after a windows update ?
> I think your clients are possibly trying to connect with NTLMv2

If that was the case, shouldn't smbclient continue to work? I can't list 
the contents of the shares even using smbclient.



More information about the samba mailing list