[Samba] NT_STATUS_ACCESS_DENIED listing \* on Samba AD - out of the blue
Rowland Penny
rpenny at samba.org
Mon Mar 12 14:28:46 UTC 2018
On Mon, 12 Mar 2018 13:17:19 +0000
Sebastian Arcus via samba <samba at lists.samba.org> wrote:
> On 12/03/18 12:56, Rowland Penny via samba wrote:
> >
> > I don't think this is your main problem though, did the problem
> > start after a windows update ?
> > I think your clients are possibly trying to connect with NTLMv2
>
> If that was the case, shouldn't smbclient continue to work? I can't
> list the contents of the shares even using smbclient.
OK, I ran some tests on one of my DCs:
root at dc1:~# smbclient -L localhost
Enter Administrator at SAMDOM.EXAMPLE.COM's password:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
data Disk
IPC$ IPC IPC Service (Samba 4.7.5-Debian)
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP DC1
Anonymous login works.
root at dc1:~# smbclient '\\dc1\data'
Enter Administrator at SAMDOM.EXAMPLE.COM's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Aug 15 12:55:50 2014
.. D 0 Sun Dec 17 13:19:43 2017
staff D 0 Fri Aug 15 12:55:50 2014
456646960 blocks of size 1024. 338538048 blocks available
smb: \> exit
root at dc1:~# smbclient '\\dc1\data' rowland
Anonymous login successful
tree connect failed: NT_STATUS_ACCESS_DENIED
root at dc1:~# smbclient '\\dc1\data' -U rowland
Enter SAMDOM\rowland's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Aug 15 12:55:50 2014
.. D 0 Sun Dec 17 13:19:43 2017
staff D 0 Fri Aug 15 12:55:50 2014
456646960 blocks of size 1024. 338538048 blocks available
smb: \> exit
Connecting to the share as Administrator works.
root at dc1:~# smbclient '\\dc1\data' <domain user>
Anonymous login successful
tree connect failed: NT_STATUS_ACCESS_DENIED
root at dc1:~# smbclient '\\dc1\data' -U <domain user>
Enter SAMDOM\<domain user>'s password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Aug 15 12:55:50 2014
.. D 0 Sun Dec 17 13:19:43 2017
staff D 0 Fri Aug 15 12:55:50 2014
456646960 blocks of size 1024. 338538048 blocks available
smb: \> exit
connecting to the share as a normal domain user works.
This shows the Unix permissions on the share:
root at dc1:~# ls -lad /home/shared
drwxr-xr-x 3 root root 4096 Aug 15 2014 /home/shared
And this is the output of getfacl:
root at dc1:~# getfacl /home/shared/
getfacl: Removing leading '/' from absolute path names
# file: home/shared/
# owner: root
# group: root
user::rwx
group::r-x
group:SAMDOM\134domain\040users:rwx
mask::rwx
other::r-x
I then connected to the share from a Linux machine as the domain user
and created a file, 'ls' now shows this:
root at dc1:~# ls /home/shared/
hello.txt staff
root at dc1:~# ls -la /home/shared/
total 20
drwxrwxr-x+ 3 root root 4096 Mar 12 14:05 .
drwxr-xr-x 10 root root 4096 Dec 17 13:19 ..
-rwxrwxr-x+ 1 SAMDOM\<domain user> SAMDOM\domain users 0 Mar 12 14:05 hello.txt
drwxrwxrwx+ 2 SAMDOM\<domain user> 10001 4096 Aug 15
2014 staff
If, something like the above doesn't work for you, then something is
wrong.
Does 'getent passwd username' produce output ?
Rowland
More information about the samba
mailing list